Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log


  • This topic is locked This topic is locked
36 replies to this topic

#1 Tommy C

Tommy C

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 22 June 2005 - 01:31 PM

Have pop ups appear through out day. Even when not surfing the web

HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 9:05:06 AM, on 6/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hpnra.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\WINNT\seeve.exe
C:\winnt\system32\eaioid.exe
C:\WINNT\system32\87c3m4pf.exe
C:\WINNT\system32\nsvsvc\nsvsvc.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\initpki.exe
C:\Program Files\cama\siil.exe
C:\WINNT\system32\??crosoft.NET\services.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\winnt\system32\calc.exe
C:\WINNT\system32\wuauclt.exe
U:\HijachThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tsvcin] C:\n20050308.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitehxi32.exe
O4 - HKLM\..\Run: [seeve] C:\WINNT\seeve.exe
O4 - HKLM\..\Run: [eaioid] c:\winnt\system32\eaioid.exe
O4 - HKLM\..\Run: [87c3m4pf] C:\WINNT\system32\87c3m4pf.exe
O4 - HKLM\..\Run: [Nsv] C:\WINNT\system32\nsvsvc\nsvsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [initpki] C:\WINNT\system32\initpki.exe
O4 - HKCU\..\Run: [Ruhe] C:\Program Files\cama\siil.exe
O4 - HKCU\..\Run: [Eyqtcl] C:\WINNT\system32\??crosoft.NET\services.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/joysaver.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stam...file=stamps.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF82E314-8CF8-44E2-950C-2EF56FA4EB86}: NameServer = 68.113.206.10,66.169.221.10
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\dnn6015se.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:40 AM

Posted 23 June 2005 - 07:30 AM

Hello, we need to perform this in more steps, because you have a lot different infections here.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 24 June 2005 - 10:12 AM

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
**********************************************************************************
useragent:
**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
lfcalsec.dll Wed Jun 22 2005 7:57:10a ..S.R 236,528 230.98 K
wbstream.dll Wed Jun 22 2005 7:59:02a ..S.R 234,784 229.28 K
lv6209~1.dll Thu Jun 16 2005 9:51:26a ..S.R 236,528 230.98 K
qcdit.dll Wed Jun 22 2005 2:42:36p ..S.R 235,934 230.40 K
l00u0a~1.dll Thu Jun 16 2005 2:25:08p ..S.R 232,973 227.51 K
wrhnetbs.dll Fri Jun 24 2005 9:54:44a ..S.R 233,494 228.02 K
szell32.dll Wed Jun 15 2005 3:09:32p ..S.R 234,272 228.78 K
kkdno.dll Wed Jun 15 2005 3:16:36p ..S.R 234,272 228.78 K
n.dll Fri Jun 24 2005 9:54:58a A.... 4,608 4.50 K
mvl4l9~1.dll Thu Jun 16 2005 2:32:14p ..S.R 236,528 230.98 K
nss52.dll Mon Jun 13 2005 1:42:04p A.... 151,552 148.00 K
i6jqlg~1.dll Fri Jun 24 2005 9:48:10a ..S.R 233,494 228.02 K
supdate.dll Fri Jun 24 2005 9:20:02a A.... 29,184 28.50 K
pncrt.dll Wed Jun 22 2005 8:45:50a A.... 278,528 272.00 K
ukyinpy.dll Fri Jun 24 2005 9:20:02a A.... 27,648 27.00 K
h6j4lg~1.dll Fri Jun 17 2005 8:05:00a ..S.R 234,784 229.28 K
irl0l5~1.dll Wed Jun 22 2005 11:03:08a ..S.R 235,326 229.81 K
i4060e~1.dll Wed Jun 22 2005 7:59:10a ..S.R 0 0.00 K
k0260a~1.dll Fri Jun 24 2005 9:54:44a ..S.R 234,114 228.63 K
f60olg~1.dll Wed Jun 22 2005 2:04:54p ..S.R 233,389 227.92 K
legitc~1.dll Fri Jun 17 2005 11:40:36a A.... 459,528 448.76 K
nkgsi.dll Fri Jun 24 2005 9:20:02a A.... 9,728 9.50 K

22 items found: 22 files (15 H/S), 0 directories.
Total of file sizes: 4,247,196 bytes 4.05 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is LOCAL DISK
Volume Serial Number is 186C-1708

Directory of C:\WINNT\System32

06/24/2005 09:54a 233,494 wrhnetbs.dll
06/24/2005 09:54a 234,114 k0260afsed260.dll
06/24/2005 09:48a 233,494 i6jqlg1516.dll
06/22/2005 02:42p 235,934 qcdit.dll
06/22/2005 02:04p 233,389 f60olgd3160.dll
06/22/2005 11:03a 235,326 irl0l53m1.dll
06/22/2005 07:59a 0 i4060edseh060.dll
06/22/2005 07:59a 234,784 wbstream.dll
06/22/2005 07:57a 236,528 lfcalsec.dll
06/17/2005 08:05a 234,784 h6j4lg1q16.dll
06/16/2005 02:32p 236,528 mvl4l93q1.dll
06/16/2005 02:25p 232,973 l00u0ad9ed0.dll
06/16/2005 09:51a 236,528 lv6209joe.dll
06/15/2005 03:16p 234,272 kkdno.dll
06/15/2005 03:09p 234,272 szell32.dll
05/06/2005 11:58a <DIR> dllcache
15 File(s) 3,286,420 bytes
1 Dir(s) 28,733,964,288 bytes free

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:40 AM

Posted 24 June 2005 - 10:32 AM

May I ask you a question? Did you get an error while running this? It is important you tell me this though.
Was the error similar like ''C:\winnt\system32\cmd.exe
C:\winnt\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..

If so, use next fix first:
http://homepage.ntlworld.com/spencer.greystrong/W2kFiles.exe

Then perform my above steps again... (Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter)

Post the new log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 24 June 2005 - 01:48 PM

I had a problem but it was becasue the files were on a network drive not my C: drive. As soon as I moved the files it worked . I went ahead and ran the fix and re-performed the steps. Here are the results:


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
**********************************************************************************
useragent:
**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINNT\SYSTEM32\
lfcalsec.dll Wed Jun 22 2005 7:57:10a ..S.R 236,528 230.98 K
wbstream.dll Wed Jun 22 2005 7:59:02a ..S.R 234,784 229.28 K
lv6209~1.dll Thu Jun 16 2005 9:51:26a ..S.R 236,528 230.98 K
qcdit.dll Wed Jun 22 2005 2:42:36p ..S.R 235,934 230.40 K
l00u0a~1.dll Thu Jun 16 2005 2:25:08p ..S.R 232,973 227.51 K
wrhnetbs.dll Fri Jun 24 2005 9:54:44a ..S.R 233,494 228.02 K
szell32.dll Wed Jun 15 2005 3:09:32p ..S.R 234,272 228.78 K
kkdno.dll Wed Jun 15 2005 3:16:36p ..S.R 234,272 228.78 K
idlogmsg.dll Fri Jun 24 2005 10:25:48a ..S.R 417,792 408.00 K
mvl4l9~1.dll Thu Jun 16 2005 2:32:14p ..S.R 236,528 230.98 K
nss52.dll Mon Jun 13 2005 1:42:04p A.... 151,552 148.00 K
s0pu0a~1.dll Fri Jun 24 2005 10:42:44a ..S.R 233,494 228.02 K
supdate.dll Fri Jun 24 2005 9:20:02a A.... 29,184 28.50 K
ukyinpy.dll Fri Jun 24 2005 9:20:02a A.... 27,648 27.00 K
h6j4lg~1.dll Fri Jun 17 2005 8:05:00a ..S.R 234,784 229.28 K
irl0l5~1.dll Wed Jun 22 2005 11:03:08a ..S.R 235,326 229.81 K
i4060e~1.dll Wed Jun 22 2005 7:59:10a ..S.R 0 0.00 K
f60olg~1.dll Wed Jun 22 2005 2:04:54p ..S.R 233,389 227.92 K
legitc~1.dll Fri Jun 17 2005 11:40:36a A.... 459,528 448.76 K
nkgsi.dll Fri Jun 24 2005 9:20:02a A.... 9,728 9.50 K
k080la~1.dll Fri Jun 24 2005 10:49:02a ..S.R 234,114 228.63 K
rwm.dll Fri Jun 24 2005 1:30:04p ..... 233,494 228.02 K

22 items found: 22 files (16 H/S), 0 directories.
Total of file sizes: 4,615,346 bytes 4.40 M
Locate .tmp files:

C:\WINNT\SYSTEM32\
guard.tmp Fri Jun 24 2005 1:38:04p ..S.R 233,494 228.02 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233,494 bytes 228.02 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C is LOCAL DISK
Volume Serial Number is 186C-1708

Directory of C:\WINNT\System32

06/24/2005 01:38p 233,494 guard.tmp
06/24/2005 10:49a 234,114 k080lalm1dqa.dll
06/24/2005 10:42a 233,494 s0pu0a79ed.dll
06/24/2005 10:25a 417,792 idlogmsg.dll
06/24/2005 09:54a 233,494 wrhnetbs.dll
06/22/2005 02:42p 235,934 qcdit.dll
06/22/2005 02:04p 233,389 f60olgd3160.dll
06/22/2005 11:03a 235,326 irl0l53m1.dll
06/22/2005 07:59a 0 i4060edseh060.dll
06/22/2005 07:59a 234,784 wbstream.dll
06/22/2005 07:57a 236,528 lfcalsec.dll
06/17/2005 08:05a 234,784 h6j4lg1q16.dll
06/16/2005 02:32p 236,528 mvl4l93q1.dll
06/16/2005 02:25p 232,973 l00u0ad9ed0.dll
06/16/2005 09:51a 236,528 lv6209joe.dll
06/15/2005 03:16p 234,272 kkdno.dll
06/15/2005 03:09p 234,272 szell32.dll
05/06/2005 11:58a <DIR> dllcache
17 File(s) 3,937,706 bytes
1 Dir(s) 28,805,398,528 bytes free

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:40 AM

Posted 24 June 2005 - 01:57 PM

I don't know actually if this is going to work though....
You really need to save the l2mfix on your C:\
Because the fix I'm letting you perform also needs to fix some registry entries.

Where did you save the L2Mfix?
You need to save it where you're infected and not somewhere else
Really make sure all those files stay in the same folder and not somewhere else or the fix would fail.

Then run l2m.bat again and choose option 2 for run Fix.
then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Edited by miekiemoes, 24 June 2005 - 02:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 24 June 2005 - 03:27 PM

Not sure if this is what you wanted. It didn't do what you said it should. It did re-boot but that was all it did, notepad did not open.

I did attach a new hijakthis log (HJT). Maybe start over with this new log???


L2Mfix 1.03

Running From:
C:\HijachThis\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!




HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 3:17:20 PM, on 6/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\malphj.exe
C:\WINNT\system32\vidctrl\vidctrl.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\cama\siil.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijachThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\malphj.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitehxi32.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINNT\System32\n20050308.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Ruhe] C:\Program Files\cama\siil.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stam...file=stamps.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF82E314-8CF8-44E2-950C-2EF56FA4EB86}: NameServer = 68.113.206.10,66.169.221.10
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:40 AM

Posted 24 June 2005 - 03:44 PM

As I thought..
We'll deal with it in another way, because with your network drive, it will make things more complicated and tools aren't acting as they suppose to do I assume.
Please save everything I let you download and install on the system that is infected! Not somewhere else!

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

* Please set your system to show all files; please see here if you're unsure how to do this.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
O4 - HKLM\..\Run: [exp] C:\WINNT\system32\exp
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\malphj.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitehxi32.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINNT\System32\n20050308.EXE
O4 - HKLM\..\Run: [vidctrl] C:\WINNT\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKCU\..\Run: [Ruhe] C:\Program Files\cama\siil.exe


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Doubleclick LQfix.bat that you saved on your desktop before.
A doswindow will open and close again, this is normal. !! Don't forget this step!!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINNT\system32\malphj.exe
C:\WINNT\system32\vidctrl <== folder
C:\program files\tvs <== folder
C:\Program Files\cama <== folder
C:\WINNT\system32\exp
C:\PROGRAM FILES\VBOUNCER <== folder
C:\WINNT\System32\n20050308.EXE

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

* Perform a full scan with ewido and let it delete everything it is finding!! When the scan is done, you'll get the option to save the log, because I'll need it afterwards.

* Reboot your system back to normal mode.

* Perform an onlinescan with Bitdefender and/or Housecall (check here autodelete) and let it delete everything it is finding.

Download the latest version of Ad-Aware:
http://www.lavasoft.de/support/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

Post back a fresh HijackThis log together with the ewidolog and I'll take another look.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 27 June 2005 - 12:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:03:33 PM, on 6/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\malphj.exe
C:\WINNT\system32\ctfmon.exe
C:\HijachThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\malphj.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stam...file=stamps.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF82E314-8CF8-44E2-950C-2EF56FA4EB86}: NameServer = 68.113.206.10,66.169.221.10
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe


Here's the ewido log...the only problem i had with your instructions was running ewido in safe mode (I couldn't make out the program ...video drivers??) therefore had to run it in normal mode. Probably not the right thing but didn't know what else to do.

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:27:59 AM, 6/27/2005
+ Report-Checksum: C750E88C

+ Date of database: 6/24/2005
+ Version of scan engine: v3.0

+ Duration: 107 min
+ Scanned Files: 92475
+ Speed: 14.39 Files/Second
+ Infected files: 83
+ Removed files: 83
+ Files put in quarantine: 83
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\Cookies\dbarber@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLED\NPROTECT\00004798.mcm -> TrojanDownloader.Sahat -> Cleaned with backup
C:\RECYCLED\NPROTECT\00004799.mcm -> TrojanDownloader.Sahat -> Cleaned with backup
C:\RECYCLED\NPROTECT\00003947.mcm -> TrojanDownloader.Sahat -> Cleaned with backup
C:\RECYCLED\NPROTECT\00004129.mcm -> TrojanDownloader.Sahat -> Cleaned with backup
C:\RECYCLED\NPROTECT\00005130.mcm -> TrojanDownloader.Sahat -> Cleaned with backup
C:\RECYCLED\NPROTECT\00005133.mcm -> TrojanDownloader.Sahat -> Cleaned with backup
C:\Program Files\Common Files\Java\bptre.exe -> Spyware.Broadcap.a -> Cleaned with backup
C:\Program Files\Common Files\Java\bpt.cfg -> Spyware.Broadcap.a -> Cleaned with backup
C:\Program Files\Common Files\Java\tvs_re_inst.exe -> Spyware.TopMoxie -> Cleaned with backup
C:\Program Files\Common Files\Java\flacpy.exe -> Spyware.FlashEnhancer.a -> Cleaned with backup
C:\Program Files\Common Files\Java\flaclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
C:\Program Files\Common Files\Java\flacpy.cfg -> Spyware.FlashEnhancer -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\Program Files\sdf.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\Program Files\Fla\f.bak -> Spyware.FlashEnhancer -> Cleaned with backup
C:\Program Files\Fla\flaclean.exe -> Spyware.Broadcap.b -> Cleaned with backup
C:\Program Files\Fla\Fla.dll -> Spyware.FlashEnhancer -> Cleaned with backup
C:\WINNT\system32\lfcalsec.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\system32\wbstream.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\lv6209joe.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\system32\qcdit.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\wintask.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINNT\system32\l00u0ad9ed0.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\system32\wrhnetbs.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\szell32.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\system32\kkdno.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\system32\idlogmsg.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\initpki.exe -> TrojanDownloader.Agent.am -> Cleaned with backup
C:\WINNT\system32\mvl4l93q1.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\system32\nss52.dll -> Spyware.HotSearchBar -> Cleaned with backup
C:\WINNT\system32\s0pu0a79ed.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINNT\system32\irl0l53m1.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\f60olgd3160.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\installer_MARKETING49.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINNT\system32\k080lalm1dqa.dll -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\guard.tmp -> Spyware.Look2Me -> Cleaned with backup
C:\WINNT\system32\PopOops2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINNT\system32\PopOops.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINNT\system32\SWLAD2.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINNT\system32\SWLAD1.dll -> Spyware.VirtualBouncer.g -> Cleaned with backup
C:\WINNT\system\UpdInst.exe -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINNT\Downloaded Program Files\__delete_on_reboot__m67m.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINNT\icont.exe -> Spyware.AdURL -> Cleaned with backup
C:\WINNT\protector.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINNT\SSK3_B5_SSK3_B5.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINNT\Buddy.exe -> Spyware.BetterInternet.d -> Cleaned with backup
C:\WINNT\TDKT2891.exe -> TrojanDropper.Small.qn -> Cleaned with backup
C:\WINNT\ceres.dll -> Spyware.BetterInternet.d -> Cleaned with backup
C:\WINNT\cfgmgr52.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\WINNT\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINNT\iconu.exe -> Spyware.Zestyfind -> Cleaned with backup
C:\Documents and Settings\All Users\Application Data\X2FF\xde01359.exe -> TrojanDownloader.Agent.ih -> Cleaned with backup
C:\Documents and Settings\dbarber\Local Settings\Temp\idcs50202.exe -> Spyware.ISearch.d -> Cleaned with backup
C:\Documents and Settings\dbarber\Local Settings\Temp\B169296183\build2.exe -> Spyware.Isearch -> Cleaned with backup
C:\Documents and Settings\dbarber\Local Settings\Temp\cxtpls_loader.exe -> TrojanDownloader.Apropo.r -> Cleaned with backup
C:\Documents and Settings\dbarber\Local Settings\Temp\mcm.exe -> TrojanDownloader.Sahat -> Cleaned with backup
C:\Documents and Settings\dbarber\Local Settings\Temp\Speed Test.exe -> TrojanDownloader.Sahat -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@articles.health.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@link[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@ads.belointeractive[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@p[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@www.myaffiliateprogram[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@S005-01-5-22-226000-76431[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@S005-01-5-23-226000-76569[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber\Cookies\dbarber@S005-01-5-22-226000-76328[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\dbarber.WAI-10\Local Settings\Temporary Internet Files\Content.IE5\6KRML215\mm15201518.Stub[1].exe -> Spyware.EZula.ah -> Cleaned with backup
C:\TEMP\Installer.exe -> Spyware.Look2Me -> Cleaned with backup
C:\HijachThis\backups\backup-20050323-142545-119.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\HijachThis\backups\backup-20050323-142545-440.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\HijachThis\backups\backup-20050405-152433-566.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\HijachThis\backups\backup-20050405-153801-982.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\HijachThis\backups\backup-20050606-141057-264.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup


::Report End

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:40 AM

Posted 27 June 2005 - 12:30 PM

We'll see how it goes afterwards..

I'll need some extra info now... so I hope you download next program to the drive that is infected and nowhere else..

Download FindQoologic.zip save it to your Desktop.
http://forums.net-integration.net/index.ph...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text opens.
Post this in your next reply
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 27 June 2005 - 02:17 PM

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINNT\System32\UKYINPY.DLL
* KavSvc C:\WINNT\System32\NKGSI.DLL
* aspack C:\WINNT\System32\VUGKW.DAT
* aspack C:\WINNT\System32\MALPHJ.EXE
* aspack C:\WINNT\System32\OAXMDNX.EXE
* aspack C:\WINNT\System32\UKYINPY.DLL
* aspack C:\WINNT\System32\NKGSI.DLL
* UPX! C:\WINNT\System32\PSOF1.EXE
* UPX! C:\WINNT\System32\EAIOID.EXE
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85510

Global Startup:
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
.
..
Microsoft Office.lnk
UPS WorldShip PLD Reminder Utility.lnk
taui.exe

User Startup:
C:\Documents and Settings\dbarber.WAI-10\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:40 AM

Posted 27 June 2005 - 02:27 PM

Good.




* Download Killbox.
Unzip it and Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINNT\System32\EAIOID.EXE
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\taui.exe
C:\WINNT\System32\VUGKW.DAT
C:\WINNT\System32\MALPHJ.EXE
C:\WINNT\System32\OAXMDNX.EXE
C:\WINNT\System32\UKYINPY.DLL
C:\WINNT\System32\NKGSI.DLL
C:\WINNT\System32\PSOF1.EXE


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.

Your computer must reboot now.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [TVS_B] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\malphj.exe reg_run


* Click on Fix Checked when finished and exit HijackThis.

Reboot again.

Perform another scan with findqoologic and post the log here together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 27 June 2005 - 03:12 PM

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85510

Global Startup:
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
.
..
Microsoft Office.lnk
UPS WorldShip PLD Reminder Utility.lnk

User Startup:
C:\Documents and Settings\dbarber.WAI-10\Start Menu\Programs\Startup
.
..

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»



will send hijackthis report in next posting

#14 Tommy C

Tommy C
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Fort Worth TX
  • Local time:01:40 AM

Posted 27 June 2005 - 03:14 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:07:43 PM, on 6/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\ctfmon.exe
C:\HijachThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stam...file=stamps.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF82E314-8CF8-44E2-950C-2EF56FA4EB86}: NameServer = 68.113.206.10,66.169.221.10
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:40 AM

Posted 27 June 2005 - 03:21 PM

Both logs are clean. Well done. :thumbsup:

Perform a full scan with an updated Adaware SE and/or Spybot S&D to get rid of the leftovers.
If you don't have those programs yet, you can find the downloadlocations in my sig.

How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users