Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

POPUP PROBLEMS part 2


  • Please log in to reply
21 replies to this topic

#1 trenken

trenken

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 03 July 2005 - 08:56 AM

I accidentally went to the wrong site and now im infected. Below are some different logs for you.

I tired running both AdAware and SpyBot in safe mode and they wont seem to get rid of this last set of pop-ups.

Any help is greatly appreciated!!




Logfile of HijackThis v1.99.1
Scan saved at 9:53:35 AM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\kjlprn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tim\Application Data\Mozilla\Profiles\default\5edp618r.slt\prefs.js)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kjlprn.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\vdscript.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe




"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Avance Logic, Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"cfgmgr52" = "RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}\(Default) = "CExtension Object" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\cfgmgr52.dll" ["TODO: <Company name>"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{7E82235C-F31E-46CB-AF9F-1ADD94C585FF}" = "Pa&nicware Pop-Up Stopper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll" [file not found]
"{616c1f06-bad8-11d2-b355-00104b642749}" = "Microangelo Context Menu Extension"
-> {CLSID}\InProcServer32\(Default) = "muangsys.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]
"{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\mcvcrt20.dll" [null data]
"{2050C640-24C1-42D6-ABBF-8577998CC1BF}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\WWDRMNet.dll" [file not found]
"{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\szobject.dll" [file not found]
"{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dxuiext.dll" [file not found]
"{A847C599-7046-4F3E-825E-FF27B3AD3E26}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wunscard.dll" [null data]
"{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dyrpsetu.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! BITS\DLLName = "C:\WINDOWS\system32\vdscript.dll" [null data]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\tim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "tim" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
INFECTION WARNING! "dkui.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 21
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

C-DillaSrv, C-DillaSrv, "C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE" ["C-Dilla Ltd"]
CAISafe, CAISafe, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe" ["Computer Associates International, Inc."]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Norton Internet Security Accounts Manager, NISUM, "C:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "C:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "C:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
VET Message Service, VETMSGNT, "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe" ["Computer Associates International, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 04 July 2005 - 12:32 AM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\system32\vdscript.dll
C:\WINDOWS\system32\kjlprn.exe
c:\windows\system32\dkui.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kjlprn.exe reg_run

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\system32\kjlprn.exe

Reboot your computer to go back to normal mode and Download http://www.bleepingcomputer.com/files/grinler/pfind-new.zip

Extract pfind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic along with a new hijackthis log

#3 trenken

trenken
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 04 July 2005 - 09:38 AM

Ok I did everything you asked.

Below are the logs you requested.

One that was not there a week ago when things were fine, but wont seem to go away is O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\vdscript.dll. I dont know if that one is causing any problems though.



Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder

C:\studio_mx_2004_crack.exe: FSG!


Checking the C:\Program Files folder



Checking the C:\WINDOWS folder



Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\AUNPS2.dll: UPX!
C:\WINDOWS\SYSTEM32\cnxmbrm.exe: .aspack
C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2
C:\WINDOWS\SYSTEM32\DrPMon.dll: ZepMon
C:\WINDOWS\SYSTEM32\epyiroi.dll: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\pinrzhr.dll: UPX!
C:\WINDOWS\SYSTEM32\qagkp.dat: .aspack
C:\WINDOWS\SYSTEM32\redit.cpl: .aspack
C:\WINDOWS\SYSTEM32\rklpvm.exe: UPX!
C:\WINDOWS\SYSTEM32\rwgsu.dll: .aspack
C:\WINDOWS\SYSTEM32\supdate.dll: .aspack
C:\WINDOWS\SYSTEM32\vfjzqwh.exe: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder


C:\Documents and Settings\All Users\Start Menu\programs\Startup\dkui.exe: UPX!


Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Administrator\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Mon Jul 4 2005 10:26:28a A.S.. 2,048 2.00 K
qtfont.qfn Sun Jul 3 2005 11:11:14p A..H. 54,156 52.89 K

C:\WINDOWS\INF\
oem12.inf Tue Jun 21 2005 7:28:48p ...H. 0 0.00 K

C:\WINDOWS\SYSTEM32\
guard.tmp Sun Jul 3 2005 1:41:46a ..S.R 417,792 408.00 K
kydca.dll Mon Jul 4 2005 10:23:38a ..S.R 417,792 408.00 K
phustab.dll Mon Jul 4 2005 10:16:50a ..S.R 417,792 408.00 K
spextspk.dll Mon Jul 4 2005 10:26:56a ..S.R 417,792 408.00 K
uurv80a.dll Sun Jul 3 2005 9:42:50a ..S.R 417,792 408.00 K
vdscript.dll Sat Jul 2 2005 8:54:54p ..S.R 417,792 408.00 K

C:\WINDOWS\TASKS\
sa.dat Mon Jul 4 2005 10:25:14a A..H. 6 0.00 K

C:\WINDOWS\TEMP\
javtc3ym.tmp Tue Jun 7 2005 9:36:12p A.SH. 6,144 6.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Mon Jul 4 2005 10:26:58a A..H. 20,480 20.00 K
sam.log Mon Jul 4 2005 10:26:54a A..H. 1,024 1.00 K
security.log Mon Jul 4 2005 10:26:32a A..H. 12,288 12.00 K
software.log Mon Jul 4 2005 10:28:00a A..H. 32,768 32.00 K
system.log Mon Jul 4 2005 10:26:48a A..H. 868,352 848.00 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
pa0818~1.cab Tue May 31 2005 11:19:14p ..SHR 68,327 66.72 K
paf714~1.cab Tue May 31 2005 11:17:26p ..SHR 305,145 297.99 K

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
kb890046.cat Tue May 17 2005 11:23:22a ..S.. 11,845 11.57 K
kb893066.cat Wed May 25 2005 2:39:08p ..S.. 10,786 10.53 K
kb896358.cat Thu May 26 2005 7:22:40p ..S.. 15,022 14.67 K
kb896422.cat Tue May 10 2005 10:34:26a ..S.. 10,786 10.53 K
kb896428.cat Tue May 10 2005 7:52:26p ..S.. 10,786 10.53 K
kb898461.cat Tue May 17 2005 3:16:24p ..S.. 9,735 9.50 K
oem12.cat Thu May 26 2005 4:27:36a ..S.. 13,511 13.19 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\
ntuser~1.log Sat Jun 18 2005 12:09:06a A..H. 1,024 1.00 K

C:\WINDOWS\TEMP\HISTORY\HISTORY.IE5\
desktop.ini Sat Jul 2 2005 8:54:54p ..SH. 113 0.11 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\
desktop.ini Sat Jul 2 2005 8:54:54p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\01234567\
desktop.ini Sat Jul 2 2005 8:54:54p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\0TM3OPMJ\
desktop.ini Sat Jul 2 2005 8:54:54p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\8P6JKHIJ\
desktop.ini Sat Jul 2 2005 8:54:54p ..SH. 67 0.06 K

C:\WINDOWS\TEMP\TEMPOR~1\CONTENT.IE5\KPIF4XUR\
desktop.ini Sat Jul 2 2005 8:54:54p ..SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
8b96bd~1 Thu Jun 2 2005 2:52:48p A.SH. 388 0.38 K
prefer~1 Thu Jun 2 2005 2:52:48p A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\MICROS~1\CRYPTN~1\CONTENT\
e891c6~1 Thu Jun 30 2005 10:09:10a A.S.. 7,652 7.47 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\MICROS~1\CRYPTN~1\METADATA\
e891c6~1 Thu Jun 30 2005 10:09:10a A.S.. 134 0.13 K

36 items found: 36 files, 0 directories.
Total of file sizes: 3,969,631 bytes 3.79 M





Logfile of HijackThis v1.99.1
Scan saved at 10:36:23 AM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rklpvm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tim\Application Data\Mozilla\Profiles\default\5edp618r.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rklpvm.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\vdscript.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 04 July 2005 - 11:46 AM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\system32\vdscript.dll


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.




Download apt: http://www.diamondcs.com.au/index.php?page=apt

Start Apt and look through the list of processes for C:\WINDOWS\system32\rklpvm.exe

Open your c:\windows\system32 and search for the bad file rklpvm.exe. Don't delete it yet, just leave the system32-folder open so you can see the bad file.

Go back to Apt and select the rklpvm.exe file by clicking once on it, and then click on the Kill3 button.

Now immediately go back to the open system32 folder and delete the rklpvm.exe file.


Now start Hijackthis and fix this line:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rklpvm.exe reg_run

Reboot and post a new log

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 04 July 2005 - 11:56 AM

I got the file. Continue with the rest of the fixes and post a new log

#6 trenken

trenken
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 05 July 2005 - 06:10 PM

I did everything you requested.

VDscript is still there. And so is O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kjlprn.exe reg_run - but the EXE doesnt seem to exist for that.

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 7:07:32 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\kjlprn.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Aprps\CxtPls.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tim\Application Data\Mozilla\Profiles\default\5edp618r.slt\prefs.js)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kjlprn.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\vdscript.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 05 July 2005 - 09:11 PM

Click on start, settings, control panel and double-click on add/remove programs. From with add/remove program uninstall the following if they exist:

Media Access

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\cxtpls_loader.EXE" /HideUninstall /HideDir /PC= CP.AOP /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kjlprn.exe reg_run

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system32\AUNPS2.DLL
C:\Program Files\Media Access\
C:\WINDOWS\system32\cxtpls_loader.EXE
C:\WINDOWS\system32\kjlprn.exe

Reboot your computer to go back to normal mode.



Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#8 trenken

trenken
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 05 July 2005 - 10:28 PM

Did everything you said. Here are the 2 logs:


L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ofjsel.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{C63FC6BF-4BCC-7055-5C72-BF64B43CE05E}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{7E82235C-F31E-46CB-AF9F-1ADD94C585FF}"="Pa&nicware Pop-Up Stopper"
"{616c1f06-bad8-11d2-b355-00104b642749}"="Microangelo Context Menu Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{1CE2AA40-1317-11D3-9922-00104B0AD431}"="CA_AntiVirus"
"{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}"=""
"{2050C640-24C1-42D6-ABBF-8577998CC1BF}"=""
"{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}"=""
"{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}"=""
"{A847C599-7046-4F3E-825E-FF27B3AD3E26}"=""
"{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}"=""
"{9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA}"=""
"{8A85CA85-288B-43D4-9A7E-9600174A6AC2}"=""
"{00071AD8-3E38-4D4C-BFD3-A7070B84985B}"=""
"{411B7098-813D-4CFA-B317-A6FA28B20799}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}\InprocServer32]
@="C:\\WINDOWS\\system32\\ofjsel.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{2050C640-24C1-42D6-ABBF-8577998CC1BF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2050C640-24C1-42D6-ABBF-8577998CC1BF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2050C640-24C1-42D6-ABBF-8577998CC1BF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2050C640-24C1-42D6-ABBF-8577998CC1BF}\InprocServer32]
@="C:\\WINDOWS\\system32\\WWDRMNet.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}\InprocServer32]
@="C:\\WINDOWS\\system32\\szobject.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}\InprocServer32]
@="C:\\WINDOWS\\system32\\dxuiext.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A847C599-7046-4F3E-825E-FF27B3AD3E26}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847C599-7046-4F3E-825E-FF27B3AD3E26}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847C599-7046-4F3E-825E-FF27B3AD3E26}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A847C599-7046-4F3E-825E-FF27B3AD3E26}\InprocServer32]
@="C:\\WINDOWS\\system32\\wunscard.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}\InprocServer32]
@="C:\\WINDOWS\\system32\\dyrpsetu.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA}\InprocServer32]
@="C:\\WINDOWS\\system32\\uurv80a.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8A85CA85-288B-43D4-9A7E-9600174A6AC2}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A85CA85-288B-43D4-9A7E-9600174A6AC2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A85CA85-288B-43D4-9A7E-9600174A6AC2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8A85CA85-288B-43D4-9A7E-9600174A6AC2}\InprocServer32]
@="C:\\WINDOWS\\system32\\phustab.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{00071AD8-3E38-4D4C-BFD3-A7070B84985B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00071AD8-3E38-4D4C-BFD3-A7070B84985B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00071AD8-3E38-4D4C-BFD3-A7070B84985B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{00071AD8-3E38-4D4C-BFD3-A7070B84985B}\InprocServer32]
@="C:\\WINDOWS\\system32\\spextspk.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{411B7098-813D-4CFA-B317-A6FA28B20799}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{411B7098-813D-4CFA-B317-A6FA28B20799}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{411B7098-813D-4CFA-B317-A6FA28B20799}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{411B7098-813D-4CFA-B317-A6FA28B20799}\InprocServer32]
@="C:\\WINDOWS\\system32\\wtcsvc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C is Local Disk
Volume Serial Number is A0C3-5A64

Directory of C:\WINDOWS\System32

07/05/2005 11:23 PM 417,792 cYrds.dll
07/05/2005 11:16 PM 417,792 wtcsvc.dll
07/05/2005 07:02 PM 417,792 ofjsel.dll
07/04/2005 10:26 AM 417,792 spextspk.dll
07/04/2005 10:16 AM 417,792 phustab.dll
07/03/2005 09:42 AM 417,792 uurv80a.dll
07/03/2005 01:41 AM 417,792 guard.tmp
07/02/2005 08:54 PM 417,792 vdscript.dll
07/01/2005 11:49 PM <DIR> dllcache
04/05/2002 09:48 PM <DIR> Microsoft
8 File(s) 3,342,336 bytes
2 Dir(s) 77,327,360,000 bytes free



Logfile of HijackThis v1.99.1
Scan saved at 11:26:55 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rklpvm.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tim\Application Data\Mozilla\Profiles\default\5edp618r.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rklpvm.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ofjsel.dll
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 06 July 2005 - 09:13 AM

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\system32\rklpvm.exe into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

#10 trenken

trenken
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 06 July 2005 - 06:12 PM

New logs:


L2Mfix 1.03

Running From:
C:\Documents and Settings\tim\Desktop\spyware\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\tim\Desktop\spyware\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\tim\Desktop\spyware\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1060 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1280 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\nwwrstr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nwwrstr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ofjsel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ofjsel.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\phustab.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\phustab.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rFsppp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rFsppp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spextspk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spextspk.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uurv80a.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\uurv80a.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vdscript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\vdscript.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wtcsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\nwwrstr.dll
Successfully Deleted: C:\WINDOWS\system32\nwwrstr.dll
deleting: C:\WINDOWS\system32\nwwrstr.dll
Successfully Deleted: C:\WINDOWS\system32\nwwrstr.dll
deleting: C:\WINDOWS\system32\ofjsel.dll
Successfully Deleted: C:\WINDOWS\system32\ofjsel.dll
deleting: C:\WINDOWS\system32\ofjsel.dll
Successfully Deleted: C:\WINDOWS\system32\ofjsel.dll
deleting: C:\WINDOWS\system32\phustab.dll
Successfully Deleted: C:\WINDOWS\system32\phustab.dll
deleting: C:\WINDOWS\system32\phustab.dll
Successfully Deleted: C:\WINDOWS\system32\phustab.dll
deleting: C:\WINDOWS\system32\rFsppp.dll
Successfully Deleted: C:\WINDOWS\system32\rFsppp.dll
deleting: C:\WINDOWS\system32\rFsppp.dll
Successfully Deleted: C:\WINDOWS\system32\rFsppp.dll
deleting: C:\WINDOWS\system32\spextspk.dll
Successfully Deleted: C:\WINDOWS\system32\spextspk.dll
deleting: C:\WINDOWS\system32\spextspk.dll
Successfully Deleted: C:\WINDOWS\system32\spextspk.dll
deleting: C:\WINDOWS\system32\uurv80a.dll
Successfully Deleted: C:\WINDOWS\system32\uurv80a.dll
deleting: C:\WINDOWS\system32\uurv80a.dll
Successfully Deleted: C:\WINDOWS\system32\uurv80a.dll
deleting: C:\WINDOWS\system32\vdscript.dll
Successfully Deleted: C:\WINDOWS\system32\vdscript.dll
deleting: C:\WINDOWS\system32\vdscript.dll
Successfully Deleted: C:\WINDOWS\system32\vdscript.dll
deleting: C:\WINDOWS\system32\wtcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\wtcsvc.dll
deleting: C:\WINDOWS\system32\wtcsvc.dll
Successfully Deleted: C:\WINDOWS\system32\wtcsvc.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: nwwrstr.dll (164 bytes security) (deflated 48%)
adding: ofjsel.dll (164 bytes security) (deflated 48%)
adding: phustab.dll (164 bytes security) (deflated 48%)
adding: rFsppp.dll (164 bytes security) (deflated 48%)
adding: spextspk.dll (164 bytes security) (deflated 48%)
adding: uurv80a.dll (164 bytes security) (deflated 48%)
adding: vdscript.dll (164 bytes security) (deflated 48%)
adding: wtcsvc.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 64%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 84%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 67%)
adding: test.txt (164 bytes security) (deflated 85%)
adding: test2.txt (164 bytes security) (deflated 45%)
adding: test3.txt (164 bytes security) (deflated 45%)
adding: test5.txt (164 bytes security) (deflated 45%)
adding: xfind.txt (164 bytes security) (deflated 81%)
adding: backregs/00071AD8-3E38-4D4C-BFD3-A7070B84985B.reg (164 bytes security) (deflated 70%)
adding: backregs/2050C640-24C1-42D6-ABBF-8577998CC1BF.reg (164 bytes security) (deflated 70%)
adding: backregs/411B7098-813D-4CFA-B317-A6FA28B20799.reg (164 bytes security) (deflated 70%)
adding: backregs/6B38BBA5-1B7A-4200-AA2E-DA269A18997E.reg (164 bytes security) (deflated 70%)
adding: backregs/8A85CA85-288B-43D4-9A7E-9600174A6AC2.reg (164 bytes security) (deflated 70%)
adding: backregs/9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA.reg (164 bytes security) (deflated 70%)
adding: backregs/A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D.reg (164 bytes security) (deflated 70%)
adding: backregs/A847C599-7046-4F3E-825E-FF27B3AD3E26.reg (164 bytes security) (deflated 70%)
adding: backregs/B4ED4182-EF6B-421F-AFF3-2A009DE639EA.reg (164 bytes security) (deflated 70%)
adding: backregs/D0E8EC74-1FD2-47A4-9F90-B6651B021C82.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: nwwrstr.dll
deleting local copy: nwwrstr.dll
deleting local copy: ofjsel.dll
deleting local copy: ofjsel.dll
deleting local copy: phustab.dll
deleting local copy: phustab.dll
deleting local copy: rFsppp.dll
deleting local copy: rFsppp.dll
deleting local copy: spextspk.dll
deleting local copy: spextspk.dll
deleting local copy: uurv80a.dll
deleting local copy: uurv80a.dll
deleting local copy: vdscript.dll
deleting local copy: vdscript.dll
deleting local copy: wtcsvc.dll
deleting local copy: wtcsvc.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\nwwrstr.dll
C:\WINDOWS\system32\nwwrstr.dll
C:\WINDOWS\system32\ofjsel.dll
C:\WINDOWS\system32\ofjsel.dll
C:\WINDOWS\system32\phustab.dll
C:\WINDOWS\system32\phustab.dll
C:\WINDOWS\system32\rFsppp.dll
C:\WINDOWS\system32\rFsppp.dll
C:\WINDOWS\system32\spextspk.dll
C:\WINDOWS\system32\spextspk.dll
C:\WINDOWS\system32\uurv80a.dll
C:\WINDOWS\system32\uurv80a.dll
C:\WINDOWS\system32\vdscript.dll
C:\WINDOWS\system32\vdscript.dll
C:\WINDOWS\system32\wtcsvc.dll
C:\WINDOWS\system32\wtcsvc.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}"=-
"{2050C640-24C1-42D6-ABBF-8577998CC1BF}"=-
"{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}"=-
"{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}"=-
"{A847C599-7046-4F3E-825E-FF27B3AD3E26}"=-
"{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}"=-
"{9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA}"=-
"{8A85CA85-288B-43D4-9A7E-9600174A6AC2}"=-
"{00071AD8-3E38-4D4C-BFD3-A7070B84985B}"=-
"{411B7098-813D-4CFA-B317-A6FA28B20799}"=-
[-HKEY_CLASSES_ROOT\CLSID\{6B38BBA5-1B7A-4200-AA2E-DA269A18997E}]
[-HKEY_CLASSES_ROOT\CLSID\{2050C640-24C1-42D6-ABBF-8577998CC1BF}]
[-HKEY_CLASSES_ROOT\CLSID\{A160A3BF-FAC1-4FAD-9DF7-EB65F3A13F5D}]
[-HKEY_CLASSES_ROOT\CLSID\{B4ED4182-EF6B-421F-AFF3-2A009DE639EA}]
[-HKEY_CLASSES_ROOT\CLSID\{A847C599-7046-4F3E-825E-FF27B3AD3E26}]
[-HKEY_CLASSES_ROOT\CLSID\{D0E8EC74-1FD2-47A4-9F90-B6651B021C82}]
[-HKEY_CLASSES_ROOT\CLSID\{9AF2B723-5727-43F3-8A8F-FFEEA2AA15AA}]
[-HKEY_CLASSES_ROOT\CLSID\{8A85CA85-288B-43D4-9A7E-9600174A6AC2}]
[-HKEY_CLASSES_ROOT\CLSID\{00071AD8-3E38-4D4C-BFD3-A7070B84985B}]
[-HKEY_CLASSES_ROOT\CLSID\{411B7098-813D-4CFA-B317-A6FA28B20799}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************




Logfile of HijackThis v1.99.1
Scan saved at 7:10:40 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rklpvm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tim\Application Data\Mozilla\Profiles\default\5edp618r.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rklpvm.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 06 July 2005 - 09:59 PM

Download http://www.bleepingcomputer.com/files/grinler/pfind-new.zip

Extract pfind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.

#12 trenken

trenken
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 July 2005 - 05:49 PM

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder

C:\studio_mx_2004_crack.exe: FSG!


Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\abiuninst.htm: <!-- saved from url=(0041)http://www.abetterinternet.com/solsssidpeer/ -->
C:\WINDOWS\abiuninst.htm: <td valign=bottom><a href="http://www.abetterinternet.com" class="noa"><span class="abi">ABI Network</span></a></td>
C:\WINDOWS\abiuninst.htm: <a href="http://www.abetterinternet.com/policies.htm" target=_blank>EULA</a>
C:\WINDOWS\aorzj.dll: excl_urls=www2.bigtrafficnetwork.com,www10.paypopup.com,www10.click2begin.com,www10.bigtrafficnetwork.com,www1.paypopup.com,www1.eta.us,www1.click2begin.com,www1.bigtrafficnetwork.com,wwp.icq.com,ww2.weatherbug.com,ws.websearch.com,wisapidata.weatherbug.com,windowsupdate.microsoft.com,windowsmedia.com,whileyousurf.com,whenusearch.com,websearch.drsnsrch.com,websearch.com,webpdp.gator.com,webcruiser.cc,web.tickle.com,web.icq.com,web.adknowledge.com,weatherbug.com,waytofind.com,viewmorepics.myspace.com,view.atdmt.com,v8.alwaysupdatednews.com,v4.windowsupdate.microsoft.com,us.yimg.com,us.update.companion.yahoo.com,us.js1.yimg.com,us.i1.yimg.com,us.ard.yahoo.com,us.a1.yimg.com,updatelaston.myspace.com,update32.searchmiracle.com,update.searchmiracle.com,update.msupdater.net,tv.180solutions.com,trk.pcsecurityshield.com,trk.bestmagsdirect.com,trafficmp.com,trafficadmin.net,track.pointroll.com,toprebates.com,topmoxie.com,topicks.com,top-banners.com,toolbarqueries.google.com,toolbar5.trafficgeneration.biz,toolbar4.trafficgeneration.biz,toolbar.isearch.com,toolbar.desktoptraffic.net,tinkopal.com,thesearchster.com,thegreatestvitaminintheworld.c,target.com,thecoolbar.com,tag.contextweb.com,t.trafficmp.com,switch.atdmt.com,surfenhance.com,stopzilla.com,stech.web-nexus.net,stats.eblocs.com,ssl-hints.netflame.cc,srv.main.ebayrtm.com,srd.yahoo.com,sr.adwave.com,sr.websearch.com,spe.atdmt.com,songsonpage.com,song.musicvideocodes.com,smileycentral.com,show.budsinc.com,service.bfast.com,server2.103092804.com,server.trafficaces.com,server.iad.liveperson.net,server.cpmstar.com,server-us.imrworldwide.com,servedby.valuead.com,servedby.advertising.com,servedby.adscpm.com,secure-us.imrworldwide.com,searchprogress.com,searcheffect.com,search200.com,sc.musicmatch.com,sandboxer.com,s0b.bluestreak.com,rightmedia.net,realcasinoreview.com,radio.launch.yahoo.com,rad.msn.com,qksrv.net,publishers.clickbooth.com,pr.atwola.com,popuptraffic.com,popupsearches.com,popups.ad-logics.com,popuppers.com,popup.msn.com,pops.browseraid.com,playlist.yahoo.com,pipe.aimexpress.aim.com,photobucket.com,pgq.yahoo.com,pc-test.net,paypopup.com,passportimages.com,pan-advert.com,pagead2.googlesyndication.com,oz.valueclick.com,onlinenow.myspace.com,onemoresearch.net,oinadserve.com,odysseusmarketing.com,oascentral.comcast.net,oascentral.cciads.us,oas-central.realmedia.com,notes.blackplanet.com,newupdates.lzio.com,newsrss.bbc.co.uk,networkcollect.realmedia.com,network.realmedia.com,neededware.com,ncontextsearch.com,ncontextmedia.com,n3285ad.doubleclick.net,mydailyhoroscope.net,my-stats.com,musicvideocodes.com,msads.net,microsoft.com,mm.delfinproject.com,mmm.media-motor.net,messenger.zango.com,messenger.msn.com,member-services.blackplanet.com,member-services.blackplanet.co,mediaplex.com,media76.fastclick.net,media.fastclick.net,media.deskwizz.com,media.adrevolver.com,media.admarketplace.net,mds.centrport.net,maxserving.com,maxifiles.com,master.mx-targeting.com,mail.yahoo.com,mail.myspace.com,mads.webshots.com,m2.doubleclick.net,m3.doubleclick.net,lyricsonpage.com,look2me.com,login.yahoo.com,loginnet.passport.com,login.tracking101.com,login.passport.net,loadingwebsite.com,license.hotbar.com,kill-pop-ups.com,jseedcorn.cjt1.net,js1.yimg.com,join1.winhundred.com,jnictech.cjt1.net,jmnad1.com,jicmedia.cjt1.net,jcontent.bns1.net,jbns2.cydoor.com,jbigpops.cjt1.net,j.2004cms.com,isg05.casalemedia.com,iossrc.com,isapi60.weatherbug.com,internet-optimizer.com,insider.msg.yahoo.com,innovationads.directtrack.com,ingdirect.com,indiads.com,imptrk.metareward.com,img2.mailpostdirect.com,images.trafficmp.com,images.brazilwelcomesyou.com,i.emarketresearchgroup.com,hotmail.com,hotmail.msn.com,http300.edge.ru4.com,host239.ipowerweb.com,hop.clickbank.net,home.myspace.com,hits.clickandtrack.net,help.internet-optimizer.com,heavy.com,grandstreetinteractive.net,grandstreetinteractive.com,goldenpalace.com,gd2.mlb.com,global.msads.net,gms1.net,g6publish.videodome.com,games.yahoo.com,fxfeeds.mozilla.org,focusin.ads.targetnet.com,falkag.net,filter.belkin.com,findonpage.com,ezula.com,empnads.com,everyfreegift.com,eliteoffers.net,ekmas.com,ebay.doubleclick.net,edit.xanga.com,eadexchange.com,e.rn11.com,e.spyspotter.com,dw.dailywinner.net,dr.webservicehosts.com,downloads.aaa1screensavers.com,download.websearch.com,download.smileycentral.com,dotexplore.com,download.abetterinternet.com,dist.belnk.com,dist.belnk.com,dist.belnk.com,desk.mspaceads.com,desb.mspaceads.com,demr.mspaceads.com,delfinproject.com,delb.mspaceads.com,dehp.mspaceads.com,defp.mspaceads.com,debr.mspaceads.com,data.coremetrics.com,ctl.twain-tech.com,creatrixads.com,creativeby.viewpoint.com,couponage.com,counters.honesty.com,count.exitexchange.com,comcast.net,context3.kanoodle.com,cmhtml.overture.com,clicktrk.com,clickspring.net,clickserve.cc-dt.com,clicksearchclick.com,clicks.emarketmakers.com,clickit.go2net.com,clickboothlnk.com,click2begin.com,click2.containsitall.com,claxonmedia.com,chatter.flooble.com,cfg.mywebsearch.com,cdn.valueclick.com,cdn.icq.com,cdn.fastclick.net,cdn.comcast.net,cdn.aim.com,cdn-cf.aol.com,cdn-aimtoday.aol.com,cb.icq.com,cache.trafficmp.com,c5.zedo.com,c4.maxserving.com,c1.zedo.com,by.optimost.com,bv.channel.aol.com,burstnet.com,bulletin.myspace.com,bt1.kanoodle.com,bs.serving-sys.com,blog.myspace.com,blackplanet.com,bigtrafficnetwork.com,bigtrafficnetwork.com,begin2search.com,bannerserver.gator.com,banners.searchingbooth.com,banners.pennyweb.com,banners.exitexchange.com,bannerfarm.ace.advertising.com,badurl.grandstreetinteractive.net,badurl.grandstreetinteractive.com,ayb.lop.com,awbeta.net-nucleus.com,atdmt.com,as.casalemedia.com,as.adwave.com,as-us.falkag.net,ar.atwola.com,apps.deskwizz.com,ap2.auctionscan.biz,aol.com,anrdoezrs.net,amch.questionmarket.com,alwaysupdatednews.com,altfarm.mediaplex.com,allfreenetwork.com,allaboutsearching.com,akapp.whenu.com,aim-charts.pf.aol.com,affiliates.4lowrates.com,adverts.lzio.com,advert.runescape.com,advert-web.runescape.com,adv.eblocs.com,adsvr.adknowledge.com,adsv2.delfinproject.com,adserver.sharewareonline.com,adserv1.gruvmedia.com,adserv.internetfuel.com,adserv.680130.net,ads345.com,ads234.com,ads2.revenue.net,ads1.revenue.net,ads.zone-media.com,ads.us.e-planning.net,ads.surfsidekick.com,ads.shizmoo.com,ads.revsci.net,ads.pointroll.com,ads.mydailyhoroscope.net,ads.inet1.com,ads.flashtrack.net,ads.exitexchange.com,ads.delfinproject.com,ads.clickagents.com,ads.centralmedia.ws,ads.bidclix.com,ads.addynamix.com,adopt.specificclick.net,adopt.hbmediapro.com,adlog2.lzio.com,adfarm.mediaplex.com,adacuity.com,ad.yieldmanager.com,ad.trafficmp.com,ad.reunion.com,ad.linksynergy.com,ad.firstadsolution.com,ad.doubleclick.net,ad.admarketplace.net,ad.adlegend.com,ad-w-a-r-e.com,actualdeals.com,aaabesthomepage.com,a425.v8384d.c8384.g.vm.akamais,a420.v8383d.c8383.g.vm.akamais,a248.e.akamai.net,a1.yimg.com,a1.interclick.com,a.xanga.com,a.websponsors.com,a.tribalfusion.com,a.as-us.falkag.net,99search.com,680130.net,404.grandstreetinteractive.com,3.adbrite.com,103092804.com,0dp.com,www2.click2begin.com,www2.paypopup.com,www2.popupsearches.com,www3.bigtrafficnetwork.com,www3.click2begin.com,www3.paypopup.com,www3.popupsearches.com,www4.bigtrafficnetwork.com,www4.click2begin.com,www4.paypopup.com,www4.yesadvertising.com,www5.bigtrafficnetwork.com,www5.click2begin.com,www5.paypopup.com,www6.bigtrafficnetwork.com,www6.click2begin.com,www6.paypopup.com,www7.bigtrafficnetwork.com,www7.click2begin.com,www7.paypopup.com,www8.bigtrafficnetwork.com,www8.click2begin.com,www8.paypopup.com,www9.bigtrafficnetwork.com,www9.click2begin.com,www9.paypopup.com,xadso.offeroptimizer.com,xadsq.offeroptimizer.com,xanga.com,xbloom.com,xlime.offeroptimizer.com,yahoo.com,yazifind.com,yimg.com,yourfreedvds.com,z1.adserver.com,zone.msn.com,qwickclick.com,qwickable.com,www4.popupsearches.com,www5.popupsearches.com,www6.popupsearches.com,www7.popupsearches.com,www8.popupsearches.com,www9.popupsearches.com,www10.popupsearches.com,www11.popupsearches.com,www12.popupsearches.com,xads.offeroptimizer.com,xadsj.offeroptimizer.com,offeroptimizer.com,adshttp.com,dnaads.com,httpwwwads.com,ads.com,www.ads.com,inqwire.com,defb.mspaceads.com,content.yieldmanager.com,yieldmanager.com,newsh.com,69.28.210.251,bigtrafficnetswork.com,www1.bigtrafficnetswork.com,www2.bigtrafficnetswork.com,www3.bigtrafficnetswork.com,www4.bigtrafficnetswork.com,www5.bigtrafficnetswork.com,www6.bigtrafficnetswork.com,www7.bigtrafficnetswork.com,www8.bigtrafficnetswork.com,www9.bigtrafficnetswork.com,www10.bigtrafficnetswork.com,l00000.myspace.com,cgi.ebay.com,shopathomeselect.com,budsinc.com,ads.trekdata.com,img.mediaplex.com,screensavers.com,pbid.pro-market.net,pro-market.net,clicknchoose.com,code.inqwire.com,ww.smableeps.com,wwW.smableeps.com,smableeps.com,venus123.com,editprofile.myspace.com,comments.myspace.com,profile.myspace.com,cb1.msn.com,go.sidebysidesearch.com,sidebysidesearch.com,ehg-communityconnect.hitbox.co,ami.pointroll.com,install.spywarelabs.com,crtv.mate1.com,consumeralertsystem.com,m.2mdn.net,mynetprotector.com,espn.go.com,art.ath.belnk.com,login.passport.com,smableepsusa.com,results.cafefind.net,ehg-shopathome.hitbox.com,linkpositions.com,oascentral.artistdirect.com,oascentral.videodome.com,buycheapadvertising.com,hotdeals.intelenetwireless.com,wildwabbit.com,psc.disney.go.com,ads.realcastmedia.com,launch.adserver.yahoo.com,premiumnetworkrocks.valuead.co,boomspeed.com,pacimedia.com,apsc.disney.go.com,adserver.yahoo.com,pics.ebaystatic.com,thefacebook.com,cdn-startpage.aol.com,partypoker.touchclarity.com,pop.modserv.net,c.qckjmp.com,lovehappens.com,adoutput.com,users.perfhost.com,cnn.dyn.cnn.com,dealsonrealty.com,redir.windowsmedia.com,ww.smableeps.com,music.myspace.com,ads.web.aol.com,runonce.msn.com,log.go.com,newoffer.myfreegiftcards.net,lcplaylist.launch.yahoo.com,beefycomputer.com,mailcenter.comcast.net,ads.realtechnetwork.net,avbj.info,video.rednova.com,certified-safe-downloads.com,as.starware.com,web.checkm8.com,gdx.mlb.com,partypoker.touchclarity.com,xquizit.xangans.com,trackhits.cc,benews.net,server1.103092804.com,server2.103092804.com,server3.103092804.com,server4.103092804.com,server5.103092804.com,server6.103092804.com,server7.103092804.com,server8.103092804.com,server9.103092804.com,server10.103092804.com,tooltips.hotbar.com,ak.imgfarm.com,sidefind.com,srs.targetpoint.com,upload.myspace.com,us.update2.toolbar.yahoo.com,fad-1108.nyc1.targetnet.com,pbid.zenotecnico.com,lc2.bay0.hotmail.passport.com,speed.pointroll.com,64.62.232.32,fad-1107.nyc1.targetnet.com,popunder.paypopup.com,ads.web.aol.com,security-updater.com,cdn.gms1.net,webcrawl.net,fad-1109.nyc1.targetnet.com


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\cksup.dll: KavSvc
C:\WINDOWS\SYSTEM32\cksup.dll: 69.59.186.63
C:\WINDOWS\SYSTEM32\cksup.dll: 209.66.67.134
C:\WINDOWS\SYSTEM32\cnxmbrm.exe: .aspack
C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2
C:\WINDOWS\SYSTEM32\DrPMon.dll: ZepMon
C:\WINDOWS\SYSTEM32\epyiroi.dll: .aspack
C:\WINDOWS\SYSTEM32\epyiroi.dll: KavSvc
C:\WINDOWS\SYSTEM32\epyiroi.dll: 69.59.186.63
C:\WINDOWS\SYSTEM32\epyiroi.dll: 209.66.67.134
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\pinrzhr.dll: UPX!
C:\WINDOWS\SYSTEM32\pinrzhr.dll: KavSvc69.5
C:\WINDOWS\SYSTEM32\qagkp.dat: .aspack
C:\WINDOWS\SYSTEM32\redit.cpl: .aspack
C:\WINDOWS\SYSTEM32\rklpvm.exe: UPX!
C:\WINDOWS\SYSTEM32\rklpvm.exe: KavSvc9.5
C:\WINDOWS\SYSTEM32\rwgsu.dll: .aspack
C:\WINDOWS\SYSTEM32\rwgsu.dll: KavSvc
C:\WINDOWS\SYSTEM32\rwgsu.dll: 69.59.186.63
C:\WINDOWS\SYSTEM32\rwgsu.dll: 209.66.67.134
C:\WINDOWS\SYSTEM32\supdate.dll: .aspack
C:\WINDOWS\SYSTEM32\supdate.dll: 69.59.186.63
C:\WINDOWS\SYSTEM32\supdate.dll: 209.66.67.134
C:\WINDOWS\SYSTEM32\supdate.dll: 66.63.167.97
C:\WINDOWS\SYSTEM32\supdate.dll: 66.63.167.77
C:\WINDOWS\SYSTEM32\supdate.dll: KavSvc


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder


C:\Documents and Settings\All Users\Start Menu\programs\Startup\dkui.exe: UPX!
C:\Documents and Settings\All Users\Start Menu\programs\Startup\dkui.exe: KavSvc9.5


Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Administrator\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days

#13 trenken

trenken
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 07 July 2005 - 05:50 PM

I just posted the pfind log, here is my latest HJT log


Logfile of HijackThis v1.99.1
Scan saved at 6:48:59 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rklpvm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tim\Application Data\Mozilla\Profiles\default\5edp618r.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rklpvm.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:34 AM

Posted 07 July 2005 - 08:02 PM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.


C:\WINDOWS\abiuninst.htm
C:\WINDOWS\aorzj.dll
C:\WINDOWS\SYSTEM32\cksup.dll
C:\WINDOWS\SYSTEM32\cnxmbrm.exe
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\SYSTEM32\epyiroi.dll
C:\WINDOWS\SYSTEM32\pinrzhr.dll
C:\WINDOWS\SYSTEM32\qagkp.dat
C:\WINDOWS\SYSTEM32\redit.cpl
C:\WINDOWS\SYSTEM32\rklpvm.exe
C:\WINDOWS\SYSTEM32\rwgsu.dll
C:\WINDOWS\SYSTEM32\supdate.dll
C:\Documents and Settings\All Users\Start Menu\programs\Startup\dkui.exe
C:\WINDOWS\System32\Guard.tmp
C:\studio_mx_2004_crack.exe


Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    C:\studio_mx_2004_crack.exe

  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


C:\WINDOWS\abiuninst.htm
C:\WINDOWS\aorzj.dll
C:\WINDOWS\SYSTEM32\cksup.dll
C:\WINDOWS\SYSTEM32\cnxmbrm.exe
C:\WINDOWS\SYSTEM32\DrPMon.dll
C:\WINDOWS\SYSTEM32\epyiroi.dll
C:\WINDOWS\SYSTEM32\pinrzhr.dll
C:\WINDOWS\SYSTEM32\qagkp.dat
C:\WINDOWS\SYSTEM32\redit.cpl
C:\WINDOWS\SYSTEM32\rklpvm.exe
C:\WINDOWS\SYSTEM32\rwgsu.dll
C:\WINDOWS\SYSTEM32\supdate.dll
C:\Documents and Settings\All Users\Start Menu\programs\Startup\dkui.exe
C:\WINDOWS\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run pfind-new.bat again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#15 trenken

trenken
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 08 July 2005 - 05:52 PM

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder



Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\DivX.dll: PEC2
C:\WINDOWS\SYSTEM32\DivX.dll: PECompact2
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\tim\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\tim\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days




Logfile of HijackThis v1.99.1
Scan saved at 6:51:27 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\tim\Application Data\Mozilla\Profiles\default\5edp618r.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dkui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users