Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another BackDoor-BDD problem


  • Please log in to reply
33 replies to this topic

#1 cartooncutie

cartooncutie

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 December 2004 - 01:43 PM

Hello, I have seen that many others have this problem so I am confident that I have come to the right place for help. Unlike other posts I've seen, I'm running Windows 2000. Also, when McAfee tells me they've found a product of this lovely trojan, it can't be cleaned or deleted. I've downloaded Hijack This and here's the results:

Logfile of HijackThis v1.97.7
Scan saved at 1:41:31 PM, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
C:\WINNT\System32\bkcpix.exe
C:\Documents and Settings\dbrown\Application Data\trdb.exe
C:\WINNT\system32\??rvices.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Documents and Settings\dbrown\DESKTOP\tasha\hijack this\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Documents and Settings\dbrown\DESKTOP\tasha\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [chrjhgipqi] C:\WINNT\System32\bkcpix.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\dbrown\Application Data\trdb.exe
O4 - HKCU\..\Run: [Wdqzbl] C:\WINNT\system32\??rvices.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gjcisktv.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.office.microsoft.com/ProductUpd...ontent/opuc.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8276.7275347222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:21 AM

Posted 09 December 2004 - 07:33 PM

Hi

You are running an outdated version of HijackThis.. Delete the copy you have and download the latest version of HijackThis!: Download here HJT 1.98.2. Save it on your Desktop. You will need now to unzip hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups. You may need to use these backups.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.


Follow this link to download ServiceFilter: ServiceFilter download

Unzip the content to a folder, such as c:\ServiceFilter.

Navigate to c:\ServiceFilter folder and (double)click the ServiceFilter.vbs file.

If you have a script blocking program you will get a warning asking if you want to allow ServiceFilter.vbs to run. Allow the script to run.

Note: The script DOES NOT find bad services, it simply filters out what is known to be ok.

Follow the instructions on the screen and WordPad will open.

In WordPad click
Edit menu --> Select All
then
Edit menu --> Copy


Right click in the message area and click on the paste option to paste the log into the post.

Post please also a fresh HJT log.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work.

Tell me please if you noticed problems with your desktop or the recycle bin. The recycle bin is damaged by the Look2Me infection and all the deleted files are lost forever.

Edited by cryo, 09 December 2004 - 07:35 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 cartooncutie

cartooncutie
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 December 2004 - 09:54 PM

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows 2000 Professional
Version: 5.0.2195 Service Pack 4
Dec 9, 2004 9:50:48 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: AvSynMgr
Display Name: AVSync Manager
Start Mode: Auto
Start Name: LocalSystem
Description: AVSync ...
Service Type: Own Process
Path: "c:\program files\network associates\virusscan\avsynmgr.exe"
State: Running
Process ID: 544
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: ISEXEng
Display Name: ISEXEng
Start Mode: Auto
Start Name: LocalSystem
Description: ISEXEng...
Service Type: Own Process
Path: c:\winnt\system32\angelex.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: McShield
Display Name: McShield
Start Mode: Manual
Start Name: LocalSystem
Description: McShield...
Service Type: Own Process
Path: "c:\program files\common files\network associates\mcshield\mcshield.exe"
State: Running
Process ID: 892
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: WM
Display Name: Novell Workstation Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Novell Workstation ...
Service Type: Own Process
Path: c:\winnt\system32\wm.exe
State: Running
Process ID: 760
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True

---> End Service Listing <---

There are 61 Win32 services on this machine.
4 were unrecognized.

Script Execution Time: 15.41406 seconds.


_______________________________________________________



Logfile of HijackThis v1.98.2
Scan saved at 9:48:16 PM, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
C:\WINNT\System32\bkcpix.exe
C:\Documents and Settings\dbrown\Application Data\trdb.exe
C:\WINNT\system32\??rvices.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Documents and Settings\dbrown\DESKTOP\tasha\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [chrjhgipqi] C:\WINNT\System32\bkcpix.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\dbrown\Application Data\trdb.exe
O4 - HKCU\..\Run: [Wdqzbl] C:\WINNT\system32\??rvices.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gjcisktv.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.office.microsoft.com/ProductUpd...ontent/opuc.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O20 - AppInit_DLLs: mad.dll

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:21 AM

Posted 10 December 2004 - 08:58 AM

Hi

Please answer my question:
Did you noticed problems with your desktop or the recycle bin ?



Download KillBox here:
KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINNT\System32\mad.dll

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.


Open Notepad, copy and paste the below contents in the quote box and "Save As" removeit.reg. In the "Save as type" select: All files and save the file to your Desktop.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISEXEng]


We will use this above registry file later in the fix.


Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Click on Start, then Run, and type services.msc and press the OK button. When the Services control panel opens, scroll through the list looking for a service called ISEXEng. If that service exists, double-click on it, and change the startup to disabled and stop the service.


Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\gtill.dll/sp.html#11111
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\dbrown\Application Data\trdb.exe
O4 - HKCU\..\Run: [Wdqzbl] C:\WINNT\system32\??rvices.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\gjcisktv.exe
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab

O20 - AppInit_DLLs: mad.dll


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
c:\winnt\system32\angelex.exe <-- this file
C:\Documents and Settings\dbrown\Application Data\trdb.exe <-- this file
C:\WINNT\gtill.dll <-- this file
C:\Program Files\Internet Explorer\gjcisktv.exe <-- this file

Delete these folders:
C:\Program Files\Ebates_MoeMoneyMaker\ <-- this folder


Now we want to the run the registry file created previously. Double-click on the removeit.reg file and when it asks if you would like to merge the information, press the OK or Yes button.


Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Copy and paste the contents of the following quotebox into Notepad:

dir C:\WINNT\System32\?hkntfs.exe /a h > files.txt
notepad files.txt


Save it as FindFile.bat and save it on your Desktop.

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.


Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 cartooncutie

cartooncutie
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 December 2004 - 12:21 PM

sorry, no. nothing is wrong with my desktop or recycle bin. random things like gain, bargain buddy, tv media, and interenet optimizer download themselves without notice all the time and when i try to check my google mail or go to lexisnexis to do my research for law school, the sites open with errors and the page is blank.

#6 cartooncutie

cartooncutie
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 December 2004 - 02:53 PM

I couldn't delete trdb.exe, the error message said it was in use, and when I rebooted after doing all that stuff in safe mode, I got a message that an exception occurred while trying to run "''C:\WINNT\system32\seorder.dll",UMonitor"

_________________________

from findfile.bat:

Volume in drive C has no label.
Volume Serial Number is 07D0-091D

Directory of C:\WINNT\System32

06/19/2003 03:05p 13,072 CHKNTFS.EXE
1 File(s) 13,072 bytes

Directory of C:\Documents and Settings\dbrown\Desktop

_________________________


Logfile of HijackThis v1.98.2
Scan saved at 2:49:59 PM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\dbrown\Application Data\trdb.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Documents and Settings\dbrown\DESKTOP\tasha\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\dbrown\Application Data\trdb.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.office.microsoft.com/ProductUpd...ontent/opuc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O20 - AppInit_DLLs: mad.dll

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:21 AM

Posted 10 December 2004 - 03:00 PM

Download KillBox here:
KillBox. Unzip it to your desktop.

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINNT\System32\mad.dll

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

Run HijackThis!, press Scan, and put a check mark next to all these:

O20 - AppInit_DLLs: mad.dll

Close all other windows and browsers, and press the Fix Checked button.

REBOOT and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 cartooncutie

cartooncutie
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 December 2004 - 06:15 PM

O20 - AppInit_DLLs: mad.dll is still there

----------------------------------------------


Logfile of HijackThis v1.98.2
Scan saved at 6:12:58 PM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
C:\Documents and Settings\dbrown\Application Data\trdb.exe
C:\WINNT\system32\rundll32.exe
C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Documents and Settings\dbrown\DESKTOP\tasha\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\dbrown\Application Data\trdb.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.office.microsoft.com/ProductUpd...ontent/opuc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O20 - AppInit_DLLs: mad.dll

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:21 AM

Posted 10 December 2004 - 06:21 PM

mad.dll is still there

I know. It is really mad :thumbsup:

Please search for it and post the full path.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 cartooncutie

cartooncutie
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 December 2004 - 08:03 PM

C:\WINNT\SYSTEM32\mad.dll

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:21 AM

Posted 11 December 2004 - 07:34 AM

Hi

Unregister the DLL first and then kill it:

Go to Start --> Run, and type (or better copy and paste) the following command:

regsvr32 /u " C:\WINNT\SYSTEM32\mad.dll"

Press the OK button.
Please write down the error message if you get one.


Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINNT\System32\mad.dll

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.


Run HijackThis!, press Scan, and put a check mark next to all these:

O20 - AppInit_DLLs: mad.dll

Close all other windows and browsers, and press the Fix Checked button.

REBOOT and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 cartooncutie

cartooncutie
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 11 December 2004 - 02:39 PM

I did get an error message----> C:\WINNT\SYSTEM32\mad.dll was loaded, but the DllUnregisterServer entry point was not found. DllUnregisterServer may not be exported, or a corrupt version of C:\WINNT\SYTEM32\mad.dll may be in memory. Consider using PView to detect and remove it.

and mad.dll is still hanging out as you can see:


Logfile of HijackThis v1.98.2
Scan saved at 2:28:55 PM, on 12/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\wm.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
C:\Documents and Settings\dbrown\Application Data\trdb.exe
C:\WINNT\system32\rundll32.exe
C:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Documents and Settings\dbrown\DESKTOP\tasha\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Documents and Settings\dbrown\DESKTOP\tasha\LogiTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Brct] C:\Documents and Settings\dbrown\Application Data\trdb.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://www.office.microsoft.com/ProductUpd...ontent/opuc.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.ds.fedex.com,ds.fedex.com,prod.fedex.com
O20 - AppInit_DLLs: mad.dll

#13 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:21 AM

Posted 11 December 2004 - 04:38 PM

Please tell me if your filesystem is NTFS or FAT32.

Double click on My Computer, then right click on the C: drive , and click on Properties.


Download this ZIP file

and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste the log here .

Please DO NOT REBOOT your computer, or log off. Do not fix anything. If you do, the Look2Me files will have changed and the fix provided will not work.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#14 cartooncutie

cartooncutie
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 11 December 2004 - 05:05 PM

its FAT32



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D0-091D

Directory of C:\WINNT\System32

12/11/2004 02:19p 225,752 fpn6035se.dll
12/11/2004 02:13p 222,833 k2pm0c71ef.dll
12/10/2004 01:42p 225,752 MRSTKPRP.DLL
12/10/2004 12:52p 222,824 nydwin32.dll
12/09/2004 02:19a 224,554 i406leds1h06.dll
12/08/2004 11:38p 29,696 ipga.exe
12/08/2004 11:32p 29,696 mfcod.exe
12/08/2004 11:32p 10,752 sysvg32.exe
12/08/2004 11:32p 29,696 ipxm.exe
12/08/2004 11:32p 10,752 ipzv.exe
12/08/2004 11:19p 10,752 ntfq32.exe
12/08/2004 11:18p 10,752 javacm32.exe
12/08/2004 11:08p 29,696 mfcyk.exe
12/08/2004 11:07p 10,752 mfczi32.exe
12/08/2004 11:05p 10,752 javaev.exe
12/08/2004 11:05p 29,696 mfcil.exe
11/15/2004 07:50p 93,184 ipje32.dll
11/12/2004 08:52a 385,024 ??rvices.exe
18 File(s) 1,812,915 bytes
0 Dir(s) 508,542,976 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 07D0-091D

Directory of C:\WINNT\System32

12/08/2004 11:38p 29,696 ipga.exe
12/08/2004 11:32p 29,696 mfcod.exe
12/08/2004 11:32p 10,752 sysvg32.exe
12/08/2004 11:32p 29,696 ipxm.exe
12/08/2004 11:32p 10,752 ipzv.exe
12/08/2004 11:19p 10,752 ntfq32.exe
12/08/2004 11:18p 10,752 javacm32.exe
12/08/2004 11:08p 29,696 mfcyk.exe
12/08/2004 11:07p 10,752 mfczi32.exe
12/08/2004 11:05p 10,752 javaev.exe
12/08/2004 11:05p 29,696 mfcil.exe
11/15/2004 07:50p 93,184 ipje32.dll
11/12/2004 08:52a 385,024 ??rvices.exe
09/29/2000 11:01p <DIR> GroupPolicy
08/30/2000 10:04a 21,692 FOLDER.HTT
08/30/2000 10:04a 271 DESKTOP.INI
15 File(s) 713,163 bytes
1 Dir(s) 508,538,880 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 07D0-091D

Directory of C:\WINNT\System32

12/11/2004 02:27p 222,833 guard.tmp
1 File(s) 222,833 bytes
0 Dir(s) 508,534,784 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 07D0-091D

Directory of C:\WINNT\System32

12/11/2004 02:27p 222,833 guard.tmp
10/14/2004 04:34p 81,920 nsp3B.tmp
10/14/2004 04:34p 81,920 nss46.tmp
12/07/1999 12:00p 2,577 CONFIG.TMP
4 File(s) 389,250 bytes
0 Dir(s) 508,530,688 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C8AF68-177C-4B89-BCD3-A6D878ED7C87}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau]
"Asynchronous"=dword:00000000
"DllName"=hex(2):6e,77,70,72,6f,76,61,75,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"LogoffPostProfileUnload"="WinlogonLogoffPostProfileUnloadEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\k2pm0c71ef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------

C:\WINNT\System32\IPJE32.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ipje32.dll Mon Nov 15 2004 7:50:04p A.SH. 93,184 91.00 K
mrstkprp.dll Fri Dec 10 2004 1:42:24p ..S.R 225,752 220.46 K
nydwin32.dll Fri Dec 10 2004 12:52:02p ..S.R 222,824 217.60 K
rvices~1.exe Fri Nov 12 2004 8:52:22a ..SHR 385,024 376.00 K
mfcil.exe Wed Dec 8 2004 11:05:00p A.SH. 29,696 29.00 K
javaev.exe Wed Dec 8 2004 11:05:54p A.SH. 10,752 10.50 K
ipzv.exe Wed Dec 8 2004 11:32:26p A.SH. 10,752 10.50 K
ipxm.exe Wed Dec 8 2004 11:32:30p A.SH. 29,696 29.00 K
sysvg32.exe Wed Dec 8 2004 11:32:52p A.SH. 10,752 10.50 K
mfcod.exe Wed Dec 8 2004 11:32:54p A.SH. 29,696 29.00 K
ipga.exe Wed Dec 8 2004 11:38:18p A.SH. 29,696 29.00 K
mfczi32.exe Wed Dec 8 2004 11:07:00p A.SH. 10,752 10.50 K
i406le~1.dll Thu Dec 9 2004 2:19:24a ..S.R 224,554 219.29 K
fpn603~1.dll Sat Dec 11 2004 2:19:04p ..S.R 225,752 220.46 K
mfcyk.exe Wed Dec 8 2004 11:08:44p A.SH. 29,696 29.00 K
javacm32.exe Wed Dec 8 2004 11:18:28p A.SH. 10,752 10.50 K
ntfq32.exe Wed Dec 8 2004 11:19:48p A.SH. 10,752 10.50 K
k2pm0c~1.dll Sat Dec 11 2004 2:13:08p ..S.R 222,833 217.61 K

18 items found: 18 files, 0 directories.
Total of file sizes: 1,812,915 bytes 1.73 M


#15 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:21 AM

Posted 12 December 2004 - 09:33 AM

Hi

its FAT32

OK it will be easy to kill it. We will use a floppy disk :thumbsup:. Do you have a Windows98 Startup disk ? If not send me a PM with your email address. I will send you the files. Prepare a floppy disk.

Please delete Killbox.exe and Killbox.zip you downloaded earlier. There is a new version.

Download KillBox here: KillBox. Unzip it to your desktop.

Disconnect from the internet.

Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


Select the Delete on reboot option.

Copy and paste each of the following file(s) to the field labeled "Full path of file to delete"
C:\WINNT\System32\fpn6035se.dll
C:\WINNT\System32\k2pm0c71ef.dll
C:\WINNT\System32\MRSTKPRP.DLL
C:\WINNT\System32\nydwin32.dll
C:\WINNT\System32\i406leds1h06.dll
C:\WINNT\System32\ipga.exe
C:\WINNT\System32\mfcod.exe
C:\WINNT\System32\sysvg32.exe
C:\WINNT\System32\ipxm.exe
C:\WINNT\System32\ipzv.exe
C:\WINNT\System32\ntfq32.exe
C:\WINNT\System32\javacm32.exe
C:\WINNT\System32\mfcyk.exe
C:\WINNT\System32\mfczi32.exe
C:\WINNT\System32\javaev.exe
C:\WINNT\System32\mfcil.exe
C:\WINNT\System32\ipje32.dll

C:\WINNT\System32\guard.tmp

After each file press the Delete button (the button that looks like a red circle with a white X in it).

A dialog box will ask if you want to delete and reboot now - on all but the last file, answer No
For the last file (or first, if only one file), answer Yes

Run again Find.bat, HijackThis, and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users