Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can't remove 69.20.16.183 ieautosearch


  • This topic is locked This topic is locked
11 replies to this topic

#1 drunkrocker

drunkrocker

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 11 December 2004 - 08:30 PM

I've been looking for about a week at various sites and posts that claim to have solved this problem, but none have worked for me. I've run adaware se, cws shredder, AVG antivirus, hostfix; started in safe mode, showed the hidden files, but none of these make a difference. I've cleaned up a bit by using hijack this to get rid of several entries that I know are inappropriate. My computer with this problem runs fine as long as I stay off the internet. As soon as I connect many popups and programs and viruses start showing up on my system. The log is one I have cleaned up and before I connect to the internet. Let me know if you want a log after I connect with all the wonderful stuff. Thanks in advance for any help you can give me.
Here's the log from HJT

HJT log - Drunkrocker
Logfile of HijackThis v1.98.2
Scan saved at 5:11:26 PM, on 12/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:13 AM

Posted 12 December 2004 - 12:23 PM

Hi :thumbsup:

Download this ZIP file

and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 drunkrocker

drunkrocker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 15 December 2004 - 12:26 AM

Thanks for looking at my log. That just doesn't sound right.

Here it is.

Attached Files



#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:13 AM

Posted 15 December 2004 - 05:21 AM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32

12/14/2004 07:36 PM 224,227 sZmlib.dll
12/14/2004 07:36 PM 225,749 j22qlcf51f2.dll
12/12/2004 10:43 AM 223,935 cmwmdm.dll
12/11/2004 10:46 PM 224,227 en4sl1h71.dll
12/11/2004 10:26 PM 224,227 nrrsnl.dll
12/11/2004 05:09 PM 223,935 mwdrv.dll
12/11/2004 05:08 PM 225,224 duuiext.dll
12/11/2004 03:56 PM 223,935 aysmsext.dll
12/11/2004 03:55 PM <DIR> dllcache
12/09/2004 04:10 PM 225,224 moiole16.dll
12/08/2004 06:35 AM 389,120 w?nlogon.exe
12/05/2004 10:08 AM 223,935 sgnscfg.dll
12/04/2004 08:26 PM 225,927 asipdsxx.dll
12/04/2004 07:25 PM 223,935 mvmdd.dll
12/04/2004 03:01 PM 98,304 d3fs32.dll
14 File(s) 3,181,904 bytes
1 Dir(s) 16,709,709,824 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32

12/11/2004 03:55 PM <DIR> dllcache
12/11/2004 03:49 PM 488 WindowsLogon.manifest
12/11/2004 03:49 PM 488 logonui.exe.manifest
12/11/2004 03:49 PM 749 sapi.cpl.manifest
12/11/2004 03:49 PM 749 wuaucpl.cpl.manifest
12/11/2004 03:49 PM 749 cdplayer.exe.manifest
12/11/2004 03:49 PM 749 ncpa.cpl.manifest
12/11/2004 03:49 PM 749 nwc.cpl.manifest
12/08/2004 06:35 AM 389,120 w?nlogon.exe
12/04/2004 03:01 PM 98,304 d3fs32.dll
09/06/2004 08:32 AM 8,628 ConvertDoc.GID
05/09/2003 02:42 PM <DIR> GroupPolicy
10 File(s) 500,773 bytes
2 Dir(s) 16,709,701,632 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32

08/23/2001 04:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 16,709,701,632 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B8F44CD1-6B2B-4B09-A233-E732267A6F52}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en4sl1h71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINDOWS\System32\EN4SL1~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
asipdsxx.dll Sat Dec 4 2004 8:26:36p A.S.R 225,927 220.63 K
aysmsext.dll Sat Dec 11 2004 3:56:42p ..S.R 223,935 218.68 K
cdplay~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
cmwmdm.dll Sun Dec 12 2004 10:43:14a ..S.R 223,935 218.68 K
d3fs32.dll Sat Dec 4 2004 3:01:46p A.SH. 98,304 96.00 K
duuiext.dll Sat Dec 11 2004 5:08:04p ..S.R 225,224 219.95 K
en4sl1~1.dll Sat Dec 11 2004 10:46:18p ..S.R 224,227 218.97 K
j22qlc~1.dll Tue Dec 14 2004 7:36:24p ..S.R 225,749 220.46 K
logonu~1.man Sat Dec 11 2004 3:49:38p A..HR 488 0.48 K
moiole16.dll Thu Dec 9 2004 4:10:40p A.S.R 225,224 219.95 K
mvmdd.dll Sat Dec 4 2004 7:25:38p A.S.R 223,935 218.68 K
mwdrv.dll Sat Dec 11 2004 5:09:42p ..S.R 223,935 218.68 K
ncpacp~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
nrrsnl.dll Sat Dec 11 2004 10:26:18p ..S.R 224,227 218.97 K
nwccpl~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
sapicp~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
sgnscfg.dll Sun Dec 5 2004 10:08:40a A.S.R 223,935 218.68 K
szmlib.dll Tue Dec 14 2004 7:36:24p ..S.R 224,227 218.97 K
window~1.man Sat Dec 11 2004 3:49:38p A..HR 488 0.48 K
wuaucp~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
wnlogo~1.exe Wed Dec 8 2004 6:35:36a A.SHR 389,120 380.00 K

21 items found: 21 files, 0 directories.
Total of file sizes: 3,186,625 bytes 3.04 M

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:13 AM

Posted 15 December 2004 - 05:29 AM

Hi

Download KillBox here: KillBox. Unzip it to your desktop.

Disconnect from the internet.

Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.

Select the Delete on reboot option.

Copy and paste each of the following file(s) to the field labeled "Full path of file to delete"

C:\WINDOWS\System32\sZmlib.dll

C:\WINDOWS\System32\j22qlcf51f2.dll

C:\WINDOWS\System32\cmwmdm.dll

C:\WINDOWS\System32\en4sl1h71.dll

C:\WINDOWS\System32\nrrsnl.dll

C:\WINDOWS\System32\mwdrv.dll

C:\WINDOWS\System32\duuiext.dll

C:\WINDOWS\System32\aysmsext.dll

C:\WINDOWS\System32\moiole16.dll

C:\WINDOWS\System32\sgnscfg.dll

C:\WINDOWS\System32\asipdsxx.dll

C:\WINDOWS\System32\mvmdd.dll

C:\WINDOWS\System32\d3fs32.dll

C:\WINDOWS\System32\GUARD.TMP


After each file press the Delete button (the button that looks like a red circle with a white X in it).

A dialog box will ask if you want to delete and reboot now - on all but the last file, answer No
For the last file (or first, if only one file), answer Yes

Run again Find.bat, HijackThis, and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 drunkrocker

drunkrocker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 15 December 2004 - 08:57 PM

Thanks for your timely response, I really appreciate it. I ran killbox as you directed. The computer with this problem has not been connected to the internet since before my 1st post. I'll wait until the problem is solved unless you need me to get online.

The find.bat log is in the attachment.

Here's the HJT log: drunkrocker
Logfile of HijackThis v1.98.2
Scan saved at 5:45:58 PM, on 12/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

Attached Files



#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:13 AM

Posted 16 December 2004 - 07:11 AM

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\guard.tmp

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Post please a new find.bat log and a hijackthis log.

Right click in the message area and click on the paste option to paste the log into the post.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 drunkrocker

drunkrocker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 December 2004 - 04:48 PM

I ran Killbox, deleted and rebooted.

Here's the HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 1:41:36 PM, on 12/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

Here's the find.bat log:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32

12/11/2004 03:55 PM <DIR> dllcache
12/08/2004 06:35 AM 389,120 w?nlogon.exe
1 File(s) 389,120 bytes
1 Dir(s) 17,001,615,360 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32

12/11/2004 03:55 PM <DIR> dllcache
12/11/2004 03:49 PM 488 WindowsLogon.manifest
12/11/2004 03:49 PM 488 logonui.exe.manifest
12/11/2004 03:49 PM 749 wuaucpl.cpl.manifest
12/11/2004 03:49 PM 749 cdplayer.exe.manifest
12/11/2004 03:49 PM 749 ncpa.cpl.manifest
12/11/2004 03:49 PM 749 nwc.cpl.manifest
12/11/2004 03:49 PM 749 sapi.cpl.manifest
12/08/2004 06:35 AM 389,120 w?nlogon.exe
09/06/2004 08:32 AM 8,628 ConvertDoc.GID
05/09/2003 02:42 PM <DIR> GroupPolicy
9 File(s) 402,469 bytes
2 Dir(s) 17,001,611,264 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 5C0B-7779

Directory of C:\WINDOWS\System32

08/23/2001 04:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 17,001,611,264 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B8F44CD1-6B2B-4B09-A233-E732267A6F52}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j22qlcf51f2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
logonu~1.man Sat Dec 11 2004 3:49:38p A..HR 488 0.48 K
ncpacp~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
nwccpl~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
sapicp~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
window~1.man Sat Dec 11 2004 3:49:38p A..HR 488 0.48 K
wuaucp~1.man Sat Dec 11 2004 3:49:34p A..HR 749 0.73 K
wnlogo~1.exe Wed Dec 8 2004 6:35:36a A.SHR 389,120 380.00 K

8 items found: 8 files, 0 directories.
Total of file sizes: 393,841 bytes 384.61 K

Thanks again for your prompt responses!
drunkrocker

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:13 AM

Posted 17 December 2004 - 04:35 AM

Hi

1. Delete the bad w?nlogon.exe
You will find two files with the same name in the C:\WINDOWS\System32\ folder: winlogon.exe. One is bad and one is legitimate. You must delete the bad file. Right click on each file and select Properties. In the General tab the legitimate file has this Description: Windows NT Logon Application. Do not delete this file. Delete the bad file.

If you can not see the two files:

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as unhide.reg
Change the Save as Type to All Files
Save this file on the desktop.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


Double-click on the unhide.reg file you saved on your desktop, and when it prompts to merge say Yes.

REBOOT your machine.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Look for the bad file and delete it.

2. Recycle bin is damaged. Let Windows to repair it.

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
c:\recycler

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot. Check if the recycle bin is OK. Create an empty TXT file and delete it. Please report back.

3. Restore user agent string

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{B8F44CD1-6B2B-4B09-A233-E732267A6F52}"=-


Double-click on the fix.reg file on your desktop, and when it prompts to merge say Yes, and this will repair some registry entries.

4. Restore Policy
Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe
Run Vx2Finder and click on the Restore Policy button.

5. *.frame.crazywinnings.com

This registry script will move this site from the trusted zone to the restricted zone :thumbsup:

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as move.reg
Change the Save as Type to All Files
Save this file on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004


Double-click on the move.reg file you saved on your desktop, and when it prompts to merge say Yes.

Reboot and post a new hijackthis log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 drunkrocker

drunkrocker
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 December 2004 - 07:43 PM

I followed your directions all went fine except for the recycle bin. I ran killbox a few times. The first time after reboot, two items appeared in the recycle bin that had not been there before and I deleted them. After the second and all other reboots the recycle bin shows nothing in it even after deleting something. Here's the latest HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 4:35:16 PM, on 12/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

looking much better!
DR

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:13 AM

Posted 17 December 2004 - 08:06 PM

I ran killbox a few times.

I'm not sure that was a good idea ....

! This is very important !: Update your Windows. Doing this will make your computer more secure. Please visit Windows Update (follow this link: http://www.windowsupdate.com) to update Windows. Follow the instructions on the screen. You may have to visit more then once Windows Update to install all updates.
Not updating Windows will leave your computer vulnerable to malware and attacks.

Update also AVG6 --> AVG7 , AVG6 support will end at the end of this year.

After the installation of the last update make sure you REBOOT the computer, run HijackThis again and post a new log please.

Edited by cryo, 17 December 2004 - 08:07 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:13 AM

Posted 29 December 2004 - 03:51 AM

Due to the lack of feedback this topic is closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users