Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Confusedinga


  • Please log in to reply
14 replies to this topic

#1 confusedinga

confusedinga

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 December 2004 - 11:37 AM

THings are going from bad to worse with my system. :thumbsup: In addition to the pop-up adds and the new search toolbar, my system is shutting down at random moment, the recycle bin is non-functional, and Spybot S&D is giving me constant messages regarding deleted values and values added.

Any help with this would be greatly appreciated! Thank you! (If no one has the time to a full repair, any recommendations on what I can do right now would be great!)

Logfile of HijackThis v1.98.2
Scan saved at 11:31:43 AM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\SED\SED.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\system32\wkroqa.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sph.emory.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 12 December 2004 - 03:35 PM

Hi confusedinga,
Sorry you've had to wait. You've got some nasty stuff on there and I don't blame you for being anxious. I'll help you but I'm going to have to ask that you wait a few more hours before I can get an answer out to you. In the meantime I would like for you to do this:

Run Norton's Live Update and then reboot your computer into Safe Mode. Run a full system scan with Norton and let me know if anything was found. I'll be back in a bit.

Closing the ealier thread you started here:
http://www.bleepingcomputer.com/forums/ind...wtopic=6153&hl=

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#3 confusedinga

confusedinga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 December 2004 - 05:49 PM

Thank you SO much! I was starting to give up hope.

Rebooted in safe mode and ran the scan - no viruses were found (not sure if that's good or bad, considering the situation).

Thanks again and let me know if there is anything else I should be doing.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 12 December 2004 - 07:37 PM

Hi,
You've got a new version of a nasty that is very difficult to remove and the experts are still working on an automatic removal tool. We should be able to fix it but some variants might take a while. You've also got Wintools that is pretty bad in itself so let's clean that up first.

Since you've rebooted since you last log, submit a fresh HijackThis log. Then give me a few minutes to set up the WinTools fix.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#5 confusedinga

confusedinga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 December 2004 - 07:42 PM

Oh no! I don't want any nasties on my computer. I'm willing to do whatever!

Here's the new log:

Logfile of HijackThis v1.98.2
Scan saved at 7:40:20 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\SED\SED.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hntpfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sph.emory.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 12 December 2004 - 10:10 PM

I'm willing to do whatever!

That's good. You have a bit of work ahead of you. Maybe a lot.:thumbsup:

Please print out these instructions before you start working on them.

Now please Download LSPFix from:
http://www.bleepingcomputer.com/files/lspfix.php

Please refer to the tutorial here:
Using LSP-Fix to remove Spyware & Hijackers

Disconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing". Place all instances of the following fields in bold into the remove section on the right by clicking on the button that points to the right. When all instances of these dll's are in the Remove section press the Finish button.

aklsp.dll
calsp.dll

Reboot your computer into Safe Mode.

Once in Safe Mode:
Click on the Start Button, Control Panel. Double-click on Administrative Tools then on Services.

Look for a service called Wintools for IE Service. Double-click it to open, then click the Stop button and change the "Startup type" to Disabled.

Then go into your Control Panel again and open Add/Remove programs. Uninstall any of the following you can find:
  • MSIETS
  • Internet 404
  • Tools for Internet Explorer
  • Search Toolbar
  • Win-Tools Easy Installer

Press control-alt-delete and end the following processes by clicking once on them and then clicking the End Process button:

WToolsA.exe
WToolsS.exe
WSup.exe

Open a command prompt by clicking on Start, then Run, and type in cmd.exe.
Type regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll and press the enter key on your keyboard. Note the spaces. Type exit to close the command prompt.

Now, using My Computer/Windows Explorer delete the following directories:

C:\Program Files\Common Files\WinTools\
C:\Program Files\Toolbar\

Scan again with HijackThis and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

Make sure all other windows are closed and click the Fix Checked button.

Reboot back into normal mode and download the following tools:

FindIt:
http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

DLLCompare:
http://downloads.subratam.org/DllCompare.exe

unzip FindIt, then double-click to run it.
It should run for a few seconds, then open a text document.
Please copy and paste the contents of that document here.
Once that's done, close the text file and then press a key and the batch file will clean up after itself and end.

Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.

Scan again wih HijackThis and post that log here as well and we'll get started on the new bad guy. Try not to reboot after running the tools that make the three logs. If for some reason you have to reboot, let me know and run them again and submit the updated logs.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#7 confusedinga

confusedinga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 December 2004 - 10:51 PM

Yeah - this is so great! Thank you, thank you, Papakid!

None of these were present:

MSIETS
Internet 404
Tools for Internet Explorer
Search Toolbar
Win-Tools Easy Installer


And neither of the directories were in the program files.

Here's the FinditNT log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/12/2004 10:37 PM 225,234 wvaueng.dll
12/12/2004 10:36 PM 225,852 q4nule591h.dll
12/12/2004 10:21 PM 225,234 j0n20a5oed.dll
12/12/2004 05:46 PM 225,234 mrbsync.dll
12/12/2004 11:25 AM 225,234 mzctfp.dll
12/12/2004 11:17 AM 225,483 lv4209hoe.dll
12/11/2004 01:06 PM 225,234 LVTIF11N.DLL
12/09/2004 10:34 PM 226,097 UZAT.DLL
12/08/2004 06:24 PM 225,234 dtvoice.dll
12/05/2004 06:42 PM 225,234 p6p6lg7s16.dll
12/05/2004 06:09 PM 225,234 dfnlobby.dll
12/05/2004 03:41 PM <DIR> DLLCACHE
12/05/2004 03:13 PM 224,612 m682lglo16qc.dll
12/03/2003 10:33 PM 2,560 Thumbs.db
01/04/2003 08:09 AM <DIR> Microsoft
13 File(s) 2,706,476 bytes
2 Dir(s) 29,056,466,944 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/05/2004 03:41 PM <DIR> DLLCACHE
12/03/2003 10:33 PM 2,560 Thumbs.db
09/03/2002 09:57 AM 488 logonui.exe.manifest
09/03/2002 09:57 AM 488 WindowsLogon.manifest
09/03/2002 09:57 AM 749 sapi.cpl.manifest
09/03/2002 09:57 AM 749 nwc.cpl.manifest
09/03/2002 09:57 AM 749 ncpa.cpl.manifest
09/03/2002 09:57 AM 749 cdplayer.exe.manifest
09/03/2002 09:57 AM 749 wuaucpl.cpl.manifest
8 File(s) 7,281 bytes
1 Dir(s) 29,056,466,944 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

08/29/2002 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 29,056,466,944 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2187C55F-746B-44A5-BC3C-32EEEE439F03}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j0n20a5oed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINDOWS\System32\J0N20A~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
dfnlobby.dll Sun Dec 5 2004 6:09:44p ..S.R 225,234 219.95 K
dtvoice.dll Wed Dec 8 2004 6:24:44p ..S.R 225,234 219.95 K
j0n20a~1.dll Sun Dec 12 2004 10:21:14p ..S.R 225,234 219.95 K
lv4209~1.dll Sun Dec 12 2004 11:17:50a ..S.R 225,483 220.20 K
lvtif11n.dll Sat Dec 11 2004 1:07:00p ..S.R 225,234 219.95 K
m682lg~1.dll Sun Dec 5 2004 3:13:36p ..S.R 224,612 219.35 K
mrbsync.dll Sun Dec 12 2004 5:46:14p ..S.R 225,234 219.95 K
mzctfp.dll Sun Dec 12 2004 11:25:34a ..S.R 225,234 219.95 K
p6p6lg~1.dll Sun Dec 5 2004 6:42:44p ..S.R 225,234 219.95 K
q4nule~1.dll Sun Dec 12 2004 10:36:54p ..S.R 225,852 220.56 K
uzat.dll Thu Dec 9 2004 10:34:54p ..S.R 226,097 220.80 K
wvaueng.dll Sun Dec 12 2004 10:37:44p ..S.R 225,234 219.95 K

12 items found: 12 files, 0 directories.
Total of file sizes: 2,703,916 bytes 2.58 M


From DLLCompare:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dfnlobby.dll Sun Dec 5 2004 6:09:44p ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\dtvoice.dll Wed Dec 8 2004 6:24:44p ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\j0n20a~1.dll Sun Dec 12 2004 10:21:14p ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\lv4209~1.dll Sun Dec 12 2004 11:17:50a ..S.R 225,483 220.20 K
C:\WINDOWS\SYSTEM32\lvtif11n.dll Sat Dec 11 2004 1:07:00p ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\m682lg~1.dll Sun Dec 5 2004 3:13:36p ..S.R 224,612 219.35 K
C:\WINDOWS\SYSTEM32\mrbsync.dll Sun Dec 12 2004 5:46:14p ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\mzctfp.dll Sun Dec 12 2004 11:25:34a ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\p6p6lg~1.dll Sun Dec 5 2004 6:42:44p ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\q4nule~1.dll Sun Dec 12 2004 10:36:54p ..S.R 225,852 220.56 K
C:\WINDOWS\SYSTEM32\uzat.dll Thu Dec 9 2004 10:34:54p ..S.R 226,097 220.80 K
C:\WINDOWS\SYSTEM32\wvaueng.dll Sun Dec 12 2004 10:37:44p ..S.R 225,234 219.95 K
________________________________________________

1,300 items found: 1,300 files (12 H/S), 0 directories.
Total of file sizes: 266,195,735 bytes 253.86 M

Administrator Account = True

--------------------End log---------------------

And finally, the HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 10:46:45 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wkroqa.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\SED\SED.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sph.emory.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab


Thanks again - let me know the next step in the process.

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 13 December 2004 - 02:03 AM

OK, let's take a shot at this. You should know there's no standard fix for every case yet.

I want you to do some downloading. Save these files to your desktop:

KILLBOX and VX2.BetterInternet Finder XP/2k from this page:
http://www.subratam.org/?page=removal

System Security Suite
http://www.igorshpak.net/

Boot into safe mode.

Open KillBox and select the delete on reboot option. Copy and paste the following files (you might want to copy them to Wordpad so you'll have them in safe mode) into the Full Path of File to Delete field. Then click the delete button--the white X in the red circle. After each file is marked for deletion you will be asked if you want to reboot now. Say no.

C:\WINDOWS\SYSTEM32\dfnlobby.dll
C:\WINDOWS\SYSTEM32\dtvoice.dll
C:\WINDOWS\SYSTEM32\j0n20a~1.dll
C:\WINDOWS\SYSTEM32\lv4209~1.dll
C:\WINDOWS\SYSTEM32\lvtif11n.dll
C:\WINDOWS\SYSTEM32\m682lg~1.dll
C:\WINDOWS\SYSTEM32\mrbsync.dll
C:\WINDOWS\SYSTEM32\mzctfp.dll
C:\WINDOWS\SYSTEM32\p6p6lg~1.dll
C:\WINDOWS\SYSTEM32\q4nule~1.dll
C:\WINDOWS\SYSTEM32\uzat.dll
C:\WINDOWS\SYSTEM32\wvaueng.dll
C:\WINDOWS\SYSTEM32\guard.tmp

Exit KillBox.

Please copy the text in the box below into Notepad. Name it Fix.reg and save as all files.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2187C55F-746B-44A5-BC3C-32EEEE439F03}"=-

Now double click on Fix.reg and allow it to be merged into the registry.

Open VX2 Finder. Click on the Click to Find VX2... button.
Then click "User Agent$"
Then "Restore Desktop"

Let me know if either of these buttons are grayed out.

Now click Start, Run and type cmd. Press OK.
Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Scan again with HijackThis and fix the following entries.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Reboot back into normal mode.

Test the Recycle Bin. Save a blank Notepad document and delete it. Are you asked for confirmation that you want to move it to the bin? Report back the results.

Now find System Security Suite (3S) that you downloaded. Install it, then open.
Click the Clear Selected Items button. You will be asked if you want to reboot now. Say yes.

Post three new logs like you did before for FindIt, dllcompare and HijackThis. Also let me know if you see any improvement.

Good luck. :thumbsup: And thanks for the feedback so far. You've been real good at volunteering important information

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#9 confusedinga

confusedinga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 13 December 2004 - 04:44 AM

Well important feedback would be pointless without having someone to give it to. You're a lifesaver. Let me know what else needs to be done.

The recycle bin seems to be working - I didn't get a confirmation, but I checked and had it set up not to ask for one (should that have gone back to a default mode or something?)

I ran S3, but the "clear selected items" button was greyed out. I'm assuming an item would need to be selected :thumbsup: . DIdn't know which one to chose so I went with none of them. Let me know if I need to repeat that step.

Still getting a ton of pop-ups, though. Grr...

The logs:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/13/2004 04:29 AM 222,765 mividctl.dll
12/13/2004 04:29 AM 224,280 irjql5151.dll
12/13/2004 04:26 AM 222,765 irjml5111.dll
12/13/2004 04:23 AM 225,718 SNDLL.DLL
12/13/2004 04:10 AM 226,073 hrno0553e.dll
12/13/2004 04:08 AM 225,234 KNDEST.DLL
12/05/2004 03:41 PM <DIR> DLLCACHE
12/03/2003 10:33 PM 2,560 Thumbs.db
01/04/2003 08:09 AM <DIR> Microsoft
7 File(s) 1,349,395 bytes
2 Dir(s) 29,471,645,696 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/05/2004 03:41 PM <DIR> DLLCACHE
12/03/2003 10:33 PM 2,560 Thumbs.db
09/03/2002 09:57 AM 488 logonui.exe.manifest
09/03/2002 09:57 AM 488 WindowsLogon.manifest
09/03/2002 09:57 AM 749 sapi.cpl.manifest
09/03/2002 09:57 AM 749 nwc.cpl.manifest
09/03/2002 09:57 AM 749 ncpa.cpl.manifest
09/03/2002 09:57 AM 749 cdplayer.exe.manifest
09/03/2002 09:57 AM 749 wuaucpl.cpl.manifest
8 File(s) 7,281 bytes
1 Dir(s) 29,471,645,696 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

08/29/2002 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 29,471,645,696 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2187C55F-746B-44A5-BC3C-32EEEE439F03}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irjml5111.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

C:\WINDOWS\System32\IRJML5~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
hrno05~1.dll Mon Dec 13 2004 4:10:22a ..S.R 226,073 220.77 K
irjml5~1.dll Mon Dec 13 2004 4:26:42a ..S.R 222,765 217.54 K
irjql5~1.dll Mon Dec 13 2004 4:29:14a ..S.R 224,280 219.02 K
kndest.dll Mon Dec 13 2004 4:08:02a ..S.R 225,234 219.95 K
mividctl.dll Mon Dec 13 2004 4:29:14a ..S.R 222,765 217.54 K
sndll.dll Mon Dec 13 2004 4:23:58a ..S.R 225,718 220.43 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,346,835 bytes 1.28 M



* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\hrno05~1.dll Mon Dec 13 2004 4:10:22a ..S.R 226,073 220.77 K
C:\WINDOWS\SYSTEM32\irjml5~1.dll Mon Dec 13 2004 4:26:42a ..S.R 222,765 217.54 K
C:\WINDOWS\SYSTEM32\irjql5~1.dll Mon Dec 13 2004 4:29:14a ..S.R 224,280 219.02 K
C:\WINDOWS\SYSTEM32\kndest.dll Mon Dec 13 2004 4:08:02a ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\mividctl.dll Mon Dec 13 2004 4:29:14a ..S.R 222,765 217.54 K
C:\WINDOWS\SYSTEM32\sndll.dll Mon Dec 13 2004 4:23:58a ..S.R 225,718 220.43 K
________________________________________________

1,294 items found: 1,294 files (6 H/S), 0 directories.
Total of file sizes: 264,838,654 bytes 252.57 M

Administrator Account = True

--------------------End log---------------------


Logfile of HijackThis v1.98.2
Scan saved at 4:37:23 AM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\SED\SED.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\wkroqa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sph.emory.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 13 December 2004 - 10:46 PM

Hi inga,
Thanks for your kind words and sorry it's taken so long for me to get back to you. There is a lot of information to look for and use and the author of VX2Finder is still working on a definitive fix, hopefully with an automated tool.

Since it's been several hours since you posted these logs I want to see some fresh ones and ask some questions.

About System Security Suite (3S), are you sure you didn't confuse it with something else? It usually has all items except User Defined Folders checked by default when you install it and I've never seen the Clear...Items grayed out before. Open it and make sure you're on the Items to Clear tab and put checkmarks by Temporary Files in the left section and Temporary Files and Recycle Bin in the right hand section. If the Clear button is still grayed out let me know. Then go and set the Recycle Bin back to where it asks for confirmation before you move files there. If the Clear button had still been grayed out after checking items, reopen 3S and see if the default Recycle Bin made any difference. And with the Recycle Bin set back to default, test it to see if it's working properly.

Then I want you to open AdAware. If you are not running AdAware SE Personal 1.05 download and update it.
http://www.lavasoftusa.com/

Once installed please go to the settings (gear at top) button. Click the Scanning button and click to make sure you have a green checked circle by Scan Within Archives and all items under Memory and Registry.

Now Advanced button to the left and make green check next to all items under Logfile Detail Level except Negligible Objects.

Now the Tweak button on the left. Click the plus sign next to Log Files to expand and make green checkmarks next to everything that's not grayed out.

Now scan with AdAware. Save the log and post it here.

Also post a new FindIt and DLLCompare log.

Could you also tell me what the popups that you're getting have in common that you can see? Like the name Look2Me or the name of a search service, etc.

Thanks for your patience.




:thumbsup:

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#11 confusedinga

confusedinga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 13 December 2004 - 11:59 PM

Not a problem at all - we're all busy. 3S is a big red 3S icon, right? That's what I've been running. I opened it up again, and the items still weren't checked, so checked them manually. The computer had to restart, which was something that it didn't need to do last night. The recycle bin seems to be working fine now.

I also had to reboot my computer in the morning - since the nasties found there way on here, if I leave the computer on for more than a few hours, even if I turn off my internet connection, IE doesn't seem to work. It shows a brief file name on down on the status bar, but it's only there for about a tenth of a second - I haven't been able to catch the whole thing yet. It then goes to the typical page you get when it can't find the site you're looking for.

The pop-ups seem to be mostly for security software of some sort, and there are some from ad-w-ar-e.com, but the browser stops those from being displayed. The other pop-ups are for spotresults and inquire.

I am running AdAware SE Personal 1.05. Followed all the directions, and here are the logs (this'll be a long one, so no rush):


Ad-Aware SE Build 1.05
Logfile Created on:Monday, December 13, 2004 11:38:25 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R21 03.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):30 total references
Redirected hostfile entry(TAC index:4):5 total references
VX2(TAC index:10):17 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R21 03.12.2004
Internal build : 26
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 407954 Bytes
Total size : 1292266 Bytes
Signature data size : 1262795 Bytes
Reference data size : 28959 Bytes
Signatures total : 35914
Fingerprints total : 577
Fingerprints size : 21902 Bytes
Target categories : 15
Target families : 625


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:53 %
Total physical memory:522736 kb
Available physical memory:275016 kb
Total page file size:1277848 kb
Available on page file:1054712 kb
Total virtual memory:2097024 kb
Available virtual memory:2048192 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Create log file for removal operations
Set : Include module list in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-13-2004 11:38:25 PM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 396
ThreadCreationTime : 12-14-2004 4:36:20 AM
BasePriority : Normal

Scanning Module:\SystemRoot\System32\smss.exe...
Scanning Module:C:\WINDOWS\system32\ntdll.dll...

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 12-14-2004 4:36:22 AM
BasePriority : High

Scanning Module:\??\C:\WINDOWS\system32\winlogon.exe...
Scanning Module:C:\WINDOWS\system32\kernel32.dll...
Scanning Module:C:\WINDOWS\system32\ADVAPI32.dll...
Scanning Module:C:\WINDOWS\system32\RPCRT4.dll...
Scanning Module:C:\WINDOWS\system32\AUTHZ.dll...
Scanning Module:C:\WINDOWS\system32\msvcrt.dll...
Scanning Module:C:\WINDOWS\system32\CRYPT32.dll...
Scanning Module:C:\WINDOWS\system32\USER32.dll...
Scanning Module:C:\WINDOWS\system32\GDI32.dll...
Scanning Module:C:\WINDOWS\system32\MSASN1.dll...
Scanning Module:C:\WINDOWS\system32\NDdeApi.dll...
Scanning Module:C:\WINDOWS\system32\PROFMAP.dll...
Scanning Module:C:\WINDOWS\system32\NETAPI32.dll...
Scanning Module:C:\WINDOWS\system32\USERENV.dll...
Scanning Module:C:\WINDOWS\system32\PSAPI.DLL...
Scanning Module:C:\WINDOWS\system32\REGAPI.dll...
Scanning Module:C:\WINDOWS\system32\Secur32.dll...
Scanning Module:C:\WINDOWS\system32\SETUPAPI.dll...
Scanning Module:C:\WINDOWS\system32\VERSION.dll...
Scanning Module:C:\WINDOWS\system32\WINSTA.dll...
Scanning Module:C:\WINDOWS\system32\WINTRUST.dll...
Scanning Module:C:\WINDOWS\system32\IMAGEHLP.dll...
Scanning Module:C:\WINDOWS\system32\WS2_32.dll...
Scanning Module:C:\WINDOWS\system32\WS2HELP.dll...
Scanning Module:C:\WINDOWS\system32\MSGINA.dll...
Scanning Module:C:\WINDOWS\system32\SHELL32.dll...
Scanning Module:C:\WINDOWS\system32\SHLWAPI.dll...
Scanning Module:C:\WINDOWS\system32\COMCTL32.dll...
Scanning Module:C:\WINDOWS\system32\ODBC32.dll...
Scanning Module:C:\WINDOWS\system32\comdlg32.dll...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll...
Scanning Module:C:\WINDOWS\system32\odbcint.dll...
Scanning Module:C:\WINDOWS\system32\SHSVCS.dll...
Scanning Module:C:\WINDOWS\system32\sfc.dll...
Scanning Module:C:\WINDOWS\system32\sfc_os.dll...
Scanning Module:C:\WINDOWS\system32\ole32.dll...
Scanning Module:C:\WINDOWS\system32\Apphelp.dll...
Scanning Module:C:\WINDOWS\system32\WINSCARD.DLL...
Scanning Module:C:\WINDOWS\system32\WTSAPI32.dll...
Scanning Module:C:\WINDOWS\system32\sxs.dll...
Scanning Module:C:\WINDOWS\system32\uxtheme.dll...
Scanning Module:C:\WINDOWS\system32\WINMM.dll...
Scanning Module:C:\WINDOWS\system32\rsaenh.dll...
Scanning Module:C:\WINDOWS\system32\SAMLIB.dll...
Scanning Module:C:\WINDOWS\system32\ktnol7531.dll...
Scanning Module:C:\WINDOWS\system32\OLEAUT32.dll...
Scanning Module:C:\WINDOWS\system32\oledlg.dll...
Scanning Module:C:\WINDOWS\system32\urlmon.dll...
Scanning Module:C:\WINDOWS\system32\WININET.dll...
Scanning Module:C:\WINDOWS\system32\WINSPOOL.DRV...
Scanning Module:C:\WINDOWS\system32\RASAPI32.DLL...
Scanning Module:C:\WINDOWS\system32\rasman.dll...
Scanning Module:C:\WINDOWS\system32\TAPI32.dll...
Scanning Module:C:\WINDOWS\system32\rtutils.dll...
Scanning Module:C:\WINDOWS\system32\xpsp2res.dll...
Scanning Module:C:\WINDOWS\system32\MPR.dll...
Scanning Module:C:\WINDOWS\system32\NTMARTA.DLL...
Scanning Module:C:\WINDOWS\system32\WLDAP32.dll...
Scanning Module:C:\WINDOWS\system32\wdmaud.drv...
Scanning Module:C:\WINDOWS\system32\msacm32.drv...
Scanning Module:C:\WINDOWS\system32\MSACM32.dll...
Scanning Module:C:\WINDOWS\system32\midimap.dll...
Scanning Module:C:\WINDOWS\system32\msv1_0.dll...
Scanning Module:C:\WINDOWS\system32\iphlpapi.dll...
Scanning Module:C:\WINDOWS\system32\sensapi.dll...
Scanning Module:C:\WINDOWS\system32\mswsock.dll...
Scanning Module:C:\WINDOWS\system32\hnetcfg.dll...
Scanning Module:C:\WINDOWS\System32\wshtcpip.dll...
Scanning Module:C:\WINDOWS\system32\DNSAPI.dll...
Scanning Module:C:\WINDOWS\System32\winrnr.dll...
Scanning Module:C:\WINDOWS\system32\rasadhlp.dll...

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 684
ThreadCreationTime : 12-14-2004 4:36:22 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
Scanning Module:C:\WINDOWS\system32\services.exe...
Scanning Module:C:\WINDOWS\system32\SCESRV.dll...
Scanning Module:C:\WINDOWS\system32\umpnpmgr.dll...
Scanning Module:C:\WINDOWS\system32\NCObjAPI.DLL...
Scanning Module:C:\WINDOWS\system32\MSVCP60.dll...
Scanning Module:C:\WINDOWS\system32\ShimEng.dll...
Scanning Module:C:\WINDOWS\AppPatch\AcGenral.DLL...
Scanning Module:C:\WINDOWS\system32\eventlog.dll...

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 12-14-2004 4:36:22 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
Scanning Module:C:\WINDOWS\system32\lsass.exe...
Scanning Module:C:\WINDOWS\system32\LSASRV.dll...
Scanning Module:C:\WINDOWS\system32\SAMSRV.dll...
Scanning Module:C:\WINDOWS\system32\cryptdll.dll...
Scanning Module:C:\WINDOWS\system32\NTDSAPI.dll...
Scanning Module:C:\WINDOWS\system32\msprivs.dll...
Scanning Module:C:\WINDOWS\system32\kerberos.dll...
Scanning Module:C:\WINDOWS\system32\netlogon.dll...
Scanning Module:C:\WINDOWS\system32\w32time.dll...
Scanning Module:C:\WINDOWS\system32\schannel.dll...
Scanning Module:C:\WINDOWS\system32\wdigest.dll...
Scanning Module:C:\WINDOWS\system32\scecli.dll...
Scanning Module:C:\WINDOWS\system32\ipsecsvc.dll...
Scanning Module:C:\WINDOWS\system32\oakley.DLL...
Scanning Module:C:\WINDOWS\system32\WINIPSEC.DLL...
Scanning Module:C:\WINDOWS\system32\pstorsvc.dll...
Scanning Module:C:\WINDOWS\system32\dssenh.dll...
Scanning Module:C:\WINDOWS\system32\psbase.dll...

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 848
ThreadCreationTime : 12-14-2004 4:36:23 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:C:\WINDOWS\system32\svchost.exe...
Scanning Module:c:\windows\system32\rpcss.dll...
Scanning Module:C:\WINDOWS\system32\CLBCATQ.DLL...
Scanning Module:C:\WINDOWS\system32\COMRes.dll...
Scanning Module:C:\WINDOWS\system32\msi.dll...
Scanning Module:c:\windows\system32\termsrv.dll...
Scanning Module:c:\windows\system32\ICAAPI.dll...
Scanning Module:c:\windows\system32\mstlsapi.dll...
Scanning Module:c:\windows\system32\ACTIVEDS.dll...
Scanning Module:c:\windows\system32\adsldpc.dll...
Scanning Module:c:\windows\system32\ATL.DLL...

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1020
ThreadCreationTime : 12-14-2004 4:36:24 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\dhcpcsvc.dll...
Scanning Module:c:\windows\system32\wzcsvc.dll...
Scanning Module:c:\windows\system32\WMI.dll...
Scanning Module:c:\windows\system32\ESENT.dll...
Scanning Module:C:\WINDOWS\System32\rastls.dll...
Scanning Module:C:\WINDOWS\system32\CRYPTUI.dll...
Scanning Module:C:\WINDOWS\System32\MPRAPI.dll...
Scanning Module:C:\WINDOWS\System32\raschap.dll...
Scanning Module:c:\windows\system32\schedsvc.dll...
Scanning Module:C:\WINDOWS\System32\MSIDLE.DLL...
Scanning Module:c:\windows\system32\audiosrv.dll...
Scanning Module:c:\windows\system32\wkssvc.dll...
Scanning Module:c:\windows\system32\cryptsvc.dll...
Scanning Module:c:\windows\system32\certcli.dll...
Scanning Module:c:\windows\system32\ersvc.dll...
Scanning Module:c:\windows\system32\es.dll...
Scanning Module:c:\windows\pchealth\helpctr\binaries\pchsvc.dll...
Scanning Module:c:\windows\system32\srvsvc.dll...
Scanning Module:c:\windows\system32\netman.dll...
Scanning Module:c:\windows\system32\netshell.dll...
Scanning Module:c:\windows\system32\credui.dll...
Scanning Module:c:\windows\system32\WZCSAPI.DLL...
Scanning Module:c:\windows\system32\seclogon.dll...
Scanning Module:c:\windows\system32\sens.dll...
Scanning Module:c:\windows\system32\srsvc.dll...
Scanning Module:c:\windows\system32\POWRPROF.dll...
Scanning Module:c:\windows\system32\trkwks.dll...
Scanning Module:c:\windows\system32\wbem\wmisvc.dll...
Scanning Module:C:\WINDOWS\system32\VSSAPI.DLL...
Scanning Module:c:\windows\system32\wuauserv.dll...
Scanning Module:C:\WINDOWS\system32\wuaueng.dll...
Scanning Module:C:\WINDOWS\System32\ADVPACK.dll...
Scanning Module:C:\WINDOWS\System32\SHFOLDER.dll...
Scanning Module:C:\WINDOWS\System32\WINHTTP.dll...
Scanning Module:C:\WINDOWS\System32\Cabinet.dll...
Scanning Module:C:\WINDOWS\System32\mspatcha.dll...
Scanning Module:c:\windows\system32\browser.dll...
Scanning Module:c:\windows\system32\ipnathlp.dll...
Scanning Module:c:\windows\system32\wscsvc.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemprox.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemcomn.dll...
Scanning Module:C:\WINDOWS\System32\Wbem\wbemcore.dll...
Scanning Module:C:\WINDOWS\System32\Wbem\esscli.dll...
Scanning Module:C:\WINDOWS\System32\Wbem\FastProx.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemsvc.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wmiutils.dll...
Scanning Module:C:\WINDOWS\System32\wbem\repdrvfs.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wmiprvsd.dll...
Scanning Module:C:\WINDOWS\SYSTEM32\msxml3.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemess.dll...
Scanning Module:C:\WINDOWS\system32\comsvcs.dll...
Scanning Module:C:\WINDOWS\system32\MTXCLU.DLL...
Scanning Module:C:\WINDOWS\system32\WSOCK32.dll...
Scanning Module:C:\WINDOWS\system32\colbact.DLL...
Scanning Module:C:\WINDOWS\System32\CLUSAPI.DLL...
Scanning Module:C:\WINDOWS\System32\RESUTILS.DLL...
Scanning Module:C:\WINDOWS\System32\wbem\ncprov.dll...
Scanning Module:C:\WINDOWS\System32\wuapi.dll...
Scanning Module:C:\WINDOWS\System32\upnp.dll...
Scanning Module:C:\WINDOWS\System32\SSDPAPI.dll...
Scanning Module:C:\WINDOWS\System32\netcfgx.dll...
Scanning Module:C:\WINDOWS\System32\rasmans.dll...
Scanning Module:c:\windows\system32\tapisrv.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wbemcons.dll...
Scanning Module:C:\WINDOWS\System32\rastapi.dll...
Scanning Module:C:\WINDOWS\System32\unimdm.tsp...
Scanning Module:C:\WINDOWS\System32\uniplat.dll...
Scanning Module:C:\WINDOWS\System32\unimdmat.dll...
Scanning Module:C:\WINDOWS\system32\modemui.dll...
Scanning Module:C:\WINDOWS\System32\kmddsp.tsp...
Scanning Module:C:\WINDOWS\System32\ndptsp.tsp...
Scanning Module:C:\WINDOWS\System32\ipconf.tsp...
Scanning Module:C:\WINDOWS\System32\h323.tsp...
Scanning Module:C:\WINDOWS\System32\hidphone.tsp...
Scanning Module:C:\WINDOWS\System32\HID.DLL...
Scanning Module:C:\WINDOWS\System32\rasppp.dll...
Scanning Module:C:\WINDOWS\System32\ntlsapi.dll...
Scanning Module:C:\WINDOWS\System32\RASDLG.dll...
Scanning Module:C:\WINDOWS\System32\wups.dll...
Scanning Module:C:\WINDOWS\System32\cryptnet.dll...

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1368
ThreadCreationTime : 12-14-2004 4:36:26 AM
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe
Scanning Module:C:\WINDOWS\system32\LEXBCES.EXE...
Scanning Module:C:\WINDOWS\system32\lexp2p32.dll...
Scanning Module:C:\WINDOWS\system32\lex2kusb.dll...

#:8 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1404
ThreadCreationTime : 12-14-2004 4:36:26 AM
BasePriority : Normal
FileVersion : 8.16
ProductVersion : 8.16
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)
Scanning Module:C:\WINDOWS\system32\LEXPPS.EXE...
Scanning Module:C:\WINDOWS\system32\LEXBCE.DLL...

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1412
ThreadCreationTime : 12-14-2004 4:36:26 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
Scanning Module:C:\WINDOWS\system32\spoolsv.exe...
Scanning Module:C:\WINDOWS\system32\SPOOLSS.DLL...
Scanning Module:C:\WINDOWS\system32\localspl.dll...
Scanning Module:C:\WINDOWS\system32\cnbjmon.dll...
Scanning Module:C:\WINDOWS\system32\CNBJMON2.DLL...
Scanning Module:C:\WINDOWS\system32\LEXLMPM.DLL...
Scanning Module:C:\WINDOWS\system32\pjlmon.dll...
Scanning Module:C:\WINDOWS\system32\tcpmon.dll...
Scanning Module:C:\WINDOWS\system32\usbmon.dll...
Scanning Module:C:\WINDOWS\System32\spool\PRTPROCS\W32X86\LXBCPP5C.dll...
Scanning Module:C:\WINDOWS\system32\win32spl.dll...
Scanning Module:C:\WINDOWS\system32\NETRAP.dll...
Scanning Module:C:\WINDOWS\system32\inetpp.dll...
Scanning Module:C:\WINDOWS\system32\LXBCpwr.dll...

#:10 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1552
ThreadCreationTime : 12-14-2004 4:36:28 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
Scanning Module:C:\WINDOWS\system32\rundll32.exe...
Scanning Module:C:\WINDOWS\system32\BYMSM136.dll...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\WINDOWS\system32\rundll32.exe"Process terminated successfully

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1688
ThreadCreationTime : 12-14-2004 4:36:31 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Scanning Module:C:\WINDOWS\Explorer.EXE...
Scanning Module:C:\WINDOWS\system32\BROWSEUI.dll...
Scanning Module:C:\WINDOWS\system32\SHDOCVW.dll...
Scanning Module:C:\WINDOWS\System32\cscui.dll...
Scanning Module:C:\WINDOWS\System32\CSCDLL.dll...
Scanning Module:C:\WINDOWS\System32\themeui.dll...
Scanning Module:C:\WINDOWS\System32\MSIMG32.dll...
Scanning Module:C:\WINDOWS\System32\actxprxy.dll...
Scanning Module:C:\WINDOWS\system32\ntshrui.dll...
Scanning Module:C:\WINDOWS\system32\LINKINFO.dll...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

Scanning Module:C:\WINDOWS\System32\webcheck.dll...
Scanning Module:C:\WINDOWS\System32\stobject.dll...
Scanning Module:C:\WINDOWS\System32\BatMeter.dll...
Scanning Module:C:\WINDOWS\System32\drprov.dll...
Scanning Module:C:\WINDOWS\System32\ntlanman.dll...
Scanning Module:C:\WINDOWS\System32\NETUI0.dll...
Scanning Module:C:\WINDOWS\System32\NETUI1.dll...
Scanning Module:C:\WINDOWS\System32\davclnt.dll...

#:12 [wkufind.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ProcessID : 1784
ThreadCreationTime : 12-14-2004 4:36:32 AM
BasePriority : Normal
FileVersion : 6.00.3215.0
ProductVersion : 6.00.3215.0
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Update Detection
InternalName : WkUFind
LegalCopyright : Copyright © Microsoft Corporation 1987-2001. All rights reserved.
OriginalFilename : WkUFind.exe
Scanning Module:C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe...

#:13 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1800
ThreadCreationTime : 12-14-2004 4:36:32 AM
BasePriority : Normal
FileVersion : 3,0,0,1715
ProductVersion : 7,0,0,1715
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2002, Intel Corporation
OriginalFilename : HKCMD.EXE
Scanning Module:C:\WINDOWS\System32\hkcmd.exe...
Scanning Module:C:\WINDOWS\System32\hccutils.DLL...
Scanning Module:C:\WINDOWS\System32\igfxdev.dll...
Scanning Module:C:\WINDOWS\System32\igfxsrvc.dll...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

Scanning Module:C:\WINDOWS\System32\igfxhk.dll...
Scanning Module:C:\WINDOWS\System32\igfxres.dll...

#:14 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 1808
ThreadCreationTime : 12-14-2004 4:36:32 AM
BasePriority : Normal
FileVersion : 3.5.25 08/27/2003 20:04:35
ProductVersion : 3.5.25 08/27/2003 20:04:35
ProductName : BCM Modem Messaging Applet
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Broadcom Corporation 1998-2000
OriginalFilename : smdmstat.exe
Scanning Module:C:\WINDOWS\BCMSMMSG.exe...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\WINDOWS\BCMSMMSG.exe"Process terminated successfully

#:15 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1816
ThreadCreationTime : 12-14-2004 4:36:32 AM
BasePriority : Normal
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
ProductName : Dell - DVDSentry
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
LegalCopyright : Copyright © 2002 Dell
OriginalFilename : DSentry.exe
Comments : DVDSentry launches your software DVD player when a DVD is inserted.
Scanning Module:C:\WINDOWS\System32\DSentry.exe...
Scanning Module:C:\WINDOWS\System32\MFC42.DLL...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\WINDOWS\System32\DSentry.exe"Process terminated successfully

#:16 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 1824
ThreadCreationTime : 12-14-2004 4:36:32 AM
BasePriority : Normal
FileVersion : 7.10.6002
ProductVersion : 7.10.6002
ProductName : MUSICMATCH JUKEBOX
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
LegalCopyright : Copyright © MUSICMATCH 1998-2002
LegalTrademarks :
OriginalFilename : mm_tray.exe
Scanning Module:C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe...
Scanning Module:C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MSVCP60.dll...
Scanning Module:C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\FileAssoc.dll...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"Process terminated successfully

#:17 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ProcessID : 1848
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 5.2.0.91
ProductVersion : 5.2.0.91
ProductName : DirectCD
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
LegalCopyright : Copyright © 2001-2002, Roxio, Inc.
OriginalFilename : Directcd.exe
Scanning Module:C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe...
Scanning Module:C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\CDUDFLIB.dll...
Scanning Module:C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\UDFRWLIB.dll...
Scanning Module:C:\WINDOWS\system32\OLEPRO32.DLL...

#:18 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ProcessID : 1856
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 2, 1, 1, 0
ProductVersion : 1, 0, 0, 1
ProductName : Dell Support
CompanyName : Dell
FileDescription : Support
InternalName : Support
LegalCopyright : Copyright © 2002
OriginalFilename : Support.exe
Scanning Module:C:\Program Files\Common Files\Dell\EUSW\Support.exe...
Scanning Module:C:\Program Files\Common Files\Dell\EUSW\DellUtil.dll...
Scanning Module:C:\Program Files\Common Files\Dell\EUSW\DDSM.dll...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\Common Files\Dell\EUSW\Support.exe"Process terminated successfully

#:19 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 1868
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
Scanning Module:C:\Program Files\iTunes\iTunesHelper.exe...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\iTunes\iTunesHelper.exe"Process terminated successfully

#:20 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1876
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe
Scanning Module:C:\Program Files\QuickTime\qttask.exe...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\QuickTime\qttask.exe"Process terminated successfully

#:21 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1884
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe
Scanning Module:C:\Program Files\Common Files\Real\Update_OB\realsched.exe...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"Process terminated successfully

#:22 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\
ProcessID : 1892
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 8.1.0.825
ProductVersion : 8.1.0.825
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2003
Scanning Module:C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe...
Scanning Module:C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll...
Scanning Module:C:\WINDOWS\system32\CTL3D32.dll...
Scanning Module:C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe"Process terminated successfully

#:23 [sed.exe]
FilePath : C:\Program Files\SED\
ProcessID : 1904
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal

Scanning Module:C:\Program Files\SED\SED.exe...

#:24 [wkroqa.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1936
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal

Scanning Module:C:\WINDOWS\system32\wkroqa.exe...

VX2 Object Recognized!
Type : Process
Data : wkroqa.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\wkroqa.exe)

"C:\WINDOWS\system32\wkroqa.exe"Process terminated successfully
"C:\WINDOWS\system32\wkroqa.exe"Process terminated successfully

#:25 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 1956
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Idle
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2004 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.
Scanning Module:C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe...
Scanning Module:C:\WINDOWS\system32\hhctrl.ocx...

#:26 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ProcessID : 2012
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : BVRP Software TestLine
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
LegalCopyright : Copyright © 2001
OriginalFilename : TestLine.exe
Scanning Module:C:\Program Files\Digital Line Detect\DLG.exe...
Scanning Module:C:\Program Files\Digital Line Detect\BVRPDIAG.dll...
Scanning Module:C:\Program Files\Digital Line Detect\broadcom.dll...
Scanning Module:C:\WINDOWS\system32\bcmdmmoh.dll...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\Digital Line Detect\DLG.exe"Process terminated successfully

#:27 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ProcessID : 2044
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal

Scanning Module:C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe...
Scanning Module:C:\WINDOWS\system32\mscoree.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\MSVCR70.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\fusion.dll...
Scanning Module:c:\windows\microsoft.net\framework\v1.0.3705\mscorlib.dll...
Scanning Module:c:\windows\assembly\nativeimages1_v1.0.3705\mscorlib\1.0.3300.0__b77a5c561934e089_75e0950f\mscorlib.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscorsn.dll...
Scanning Module:c:\windows\assembly\gac\system.windows.forms\1.0.3300.0__b77a5c561934e089\system.windows.forms.dll...
Scanning Module:c:\windows\assembly\nativeimages1_v1.0.3705\system.windows.forms\1.0.3300.0__b77a5c561934e089_70412d12\system.windows.forms.dll...
Scanning Module:c:\windows\assembly\gac\system\1.0.3300.0__b77a5c561934e089\system.dll...
Scanning Module:c:\windows\assembly\nativeimages1_v1.0.3705\system\1.0.3300.0__b77a5c561934e089_21993964\system.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\MSCORJIT.DLL...
Scanning Module:c:\program files\dell\support\alert\bin\euswutil.dll...
Scanning Module:C:\WINDOWS\system32\netfxperf.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\perfcounter.dll...
Scanning Module:c:\windows\assembly\gac\system.xml\1.0.3300.0__b77a5c561934e089\system.xml.dll...
Scanning Module:c:\windows\assembly\nativeimages1_v1.0.3705\system.xml\1.0.3300.0__b77a5c561934e089_06a680be\system.xml.dll...
Scanning Module:C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\CorperfmonExt.dll...
Scanning Module:C:\WINDOWS\System32\query.dll...
Scanning Module:C:\WINDOWS\system32\perfdisk.dll...
Scanning Module:C:\WINDOWS\system32\perfnet.dll...
Scanning Module:C:\WINDOWS\system32\perfos.dll...
Scanning Module:C:\WINDOWS\system32\perfproc.dll...
Scanning Module:C:\WINDOWS\system32\pschdprf.dll...
Scanning Module:C:\WINDOWS\system32\TRAFFIC.dll...
Scanning Module:C:\WINDOWS\System32\rsvpperf.dll...
Scanning Module:C:\WINDOWS\system32\tapiperf.dll...
Scanning Module:C:\WINDOWS\system32\Perfctrs.dll...
Scanning Module:C:\WINDOWS\system32\perfts.dll...
Scanning Module:C:\WINDOWS\system32\UTILDLL.dll...
Scanning Module:C:\WINDOWS\System32\wbem\wmiaprpl.dll...
Scanning Module:C:\WINDOWS\system32\loadperf.dll...
Scanning Module:c:\windows\assembly\gac\system.drawing\1.0.3300.0__b03f5f7f11d50a3a\system.drawing.dll...
Scanning Module:c:\windows\assembly\nativeimages1_v1.0.3705\system.drawing\1.0.3300.0__b03f5f7f11d50a3a_b790e54a\system.drawing.dll...
Scanning Module:c:\program files\dell\support\alert\bin\en-us\notifyalert.resources.dll...
Scanning Module:c:\program files\dell\support\alert\bin\en\notifyalert.resources.dll...
Scanning Module:C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe"Process terminated successfully

#:28 [wkcalrem.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ProcessID : 168
ThreadCreationTime : 12-14-2004 4:36:33 AM
BasePriority : Normal
FileVersion : 6.00.1911.0
ProductVersion : 6.00.1911.0
ProductName : Microsoft® Works 6.0
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.
OriginalFilename : WKCALREM.EXE
Scanning Module:C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe...
Scanning Module:C:\WINDOWS\system32\eapusr.dll...

VX2 Object Recognized!
Type : Process
Data : eapusr.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\system32\


Warning! VX2 Object found in memory(C:\WINDOWS\system32\eapusr.dll)

"C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe"Process terminated successfully

#:29 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 156
ThreadCreationTime : 12-14-2004 4:36:34 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe
Scanning Module:C:\WINDOWS\system32\cisvc.exe...

#:30 [defwatch.exe]
FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\
ProcessID : 228
ThreadCreationTime : 12-14-2004 4:36:34 AM
BasePriority : Normal
FileVersion : 8.1.0.825
ProductVersion : 8.1.0.825
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright © 1998 Symantec Corporation
OriginalFilename : DefWatch.exe
Scanning Module:C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe...

#:31 [rtvscan.exe]
FilePath : C:\PROGRA~1\SYMANT~1\SYMANT~1\
ProcessID : 472
ThreadCreationTime : 12-14-2004 4:36:36 AM
BasePriority : Normal
FileVersion : 8.1.0.825
ProductVersion : 8.1.0.825
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright © Symantec Corporation 1991-2003
Scanning Module:C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe...
Scanning Module:C:\WINDOWS\system32\CBA.DLL...
Scanning Module:C:\WINDOWS\system32\MsgSys.dll...
Scanning Module:C:\WINDOWS\system32\NTS.dll...
Scanning Module:C:\WINDOWS\system32\PDS.DLL...
Scanning Module:C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVLU.dll...
Scanning Module:C:\WINDOWS\system32\IMM32.dll...
Scanning Module:C:\PROGRA~1\SYMANT~1\SYMANT~1\i2ldvp3.dll...
Scanning Module:C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPI32.DLL...
Scanning Module:C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041208.018\NAVEX32a.DLL...
Scanning Module:C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041208.018\NAVENG32.DLL...
Scanning Module:C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP32.DLL...
Scanning Module:C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NotesExt.dll...
Scanning Module:C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpmsece.dll...

#:32 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1124
ThreadCreationTime : 12-14-2004 4:36:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\windows\system32\wiaservc.dll...
Scanning Module:c:\windows\system32\CFGMGR32.dll...
Scanning Module:c:\windows\system32\mscms.dll...

#:33 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1228
ThreadCreationTime : 12-14-2004 4:36:39 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Scanning Module:C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe...
Scanning Module:C:\WINDOWS\system32\RICHED32.DLL...
Scanning Module:C:\WINDOWS\system32\RICHED20.dll...

#:34 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 2168
ThreadCreationTime : 12-14-2004 4:36:42 AM
BasePriority : Normal
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe
Scanning Module:C:\Program Files\iPod\bin\iPodService.exe...

#:35 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3164
ThreadCreationTime : 12-14-2004 4:37:25 AM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe
Scanning Module:C:\WINDOWS\system32\wuauclt.exe...
Scanning Module:C:\WINDOWS\system32\wuaucpl.cpl...

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

Disk Scan Result for C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

Disk Scan Result for C:\DOCUME~1\Robert\LOCALS~1\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad Hosts file entry:69.20.16.183:auto.search.msn.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:auto.search.msn.com
Warning!
Bad Hosts file entry:69.20.16.183:search.netscape.com


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:search.netscape.com
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch
Warning!
Bad Hosts file entry:69.20.16.183:ieautosearch


Redirected hostfile entry Object Recognized!
Type : Hosts file
Data : 69.20.16.183
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 69.20.16.183:ieautosearch

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
16 entries scanned.
New critical objects:5
Objects found so far: 20




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : Narrator

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 52

11:40:27 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:01.375
Objects scanned:69972
Objects identified:8
Objects ignored:0
New critical objects:8


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/13/2004 11:36 PM 2

#12 confusedinga

confusedinga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 14 December 2004 - 12:04 AM

I think the last message got a little too long and cut off - here's the findit, dllcompare and HJT Logs:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/13/2004 11:36 PM 224,452 kt86l7ls1.dll
12/13/2004 07:28 PM 222,765 ktnol7531.dll
12/13/2004 04:23 AM 225,718 SNDLL.DLL
12/13/2004 04:10 AM 226,073 hrno0553e.dll
12/13/2004 04:08 AM 225,234 KNDEST.DLL
12/05/2004 03:41 PM <DIR> DLLCACHE
12/03/2003 10:33 PM 2,560 Thumbs.db
01/04/2003 08:09 AM <DIR> Microsoft
6 File(s) 1,126,802 bytes
2 Dir(s) 29,677,617,152 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/05/2004 03:41 PM <DIR> DLLCACHE
12/03/2003 10:33 PM 2,560 Thumbs.db
09/03/2002 09:57 AM 488 logonui.exe.manifest
09/03/2002 09:57 AM 488 WindowsLogon.manifest
09/03/2002 09:57 AM 749 sapi.cpl.manifest
09/03/2002 09:57 AM 749 nwc.cpl.manifest
09/03/2002 09:57 AM 749 ncpa.cpl.manifest
09/03/2002 09:57 AM 749 cdplayer.exe.manifest
09/03/2002 09:57 AM 749 wuaucpl.cpl.manifest
8 File(s) 7,281 bytes
1 Dir(s) 29,677,617,152 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/13/2004 11:39 PM 222,765 guard.tmp
1 File(s) 222,765 bytes
0 Dir(s) 29,677,613,056 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 08B2-1DB5

Directory of C:\WINDOWS\System32

12/13/2004 11:39 PM 222,765 guard.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
2 File(s) 225,342 bytes
0 Dir(s) 29,677,613,056 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{2187C55F-746B-44A5-BC3C-32EEEE439F03}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ktnol7531.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

C:\WINDOWS\System32\BYMSM136.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
hrno05~1.dll Mon Dec 13 2004 4:10:22a ..S.R 226,073 220.77 K
kndest.dll Mon Dec 13 2004 4:08:02a ..S.R 225,234 219.95 K
kt86l7~1.dll Mon Dec 13 2004 11:36:30p ..S.R 224,452 219.19 K
ktnol7~1.dll Mon Dec 13 2004 7:28:14p ..S.R 222,765 217.54 K
sndll.dll Mon Dec 13 2004 4:23:58a ..S.R 225,718 220.43 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,124,242 bytes 1.07 M



The DLLCompare:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\hrno05~1.dll Mon Dec 13 2004 4:10:22a ..S.R 226,073 220.77 K
C:\WINDOWS\SYSTEM32\kndest.dll Mon Dec 13 2004 4:08:02a ..S.R 225,234 219.95 K
C:\WINDOWS\SYSTEM32\kt86l7~1.dll Mon Dec 13 2004 11:36:30p ..S.R 224,452 219.19 K
C:\WINDOWS\SYSTEM32\ktnol7~1.dll Mon Dec 13 2004 7:28:14p ..S.R 222,765 217.54 K
C:\WINDOWS\SYSTEM32\sndll.dll Mon Dec 13 2004 4:23:58a ..S.R 225,718 220.43 K
________________________________________________

1,294 items found: 1,294 files (5 H/S), 0 directories.
Total of file sizes: 264,838,826 bytes 252.57 M

Administrator Account = True

--------------------End log---------------------


And HJT:

Logfile of HijackThis v1.98.2
Scan saved at 11:45:37 PM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\SED\SED.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sph.emory.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\wkroqa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hntpfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2003...iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 14 December 2004 - 02:54 AM

OK let's take another stab at this tonight.

Download and install VX2 Cleaner plug in for AdAware.

Disconnect from the net. If you are "Always on" disconnect from the cable.

First Let's make sure TeaTimer doesn't interfere with removal. Right click the icon in the system tray for Spybot's TeaTimer and disable.

I want you to navigate to the C:\WINDOWS\system32 folder using My Computer/Windows Explorer. Find the following files, zip them up and send to Papakid at myway.com. If you have trouble getting them zipped (right click the file and choose Send to>Compressed (zipped) Folder), don't worry about it just let me know:

wkroqa.exe
BYMSM136.DLL
eapusr.dll
ktnol7531.dll

Open KillBox and select the Delete on Reboot option. As before say no when you click the white X to delete files and are asked to reboot. Delete these files--copy and paste the full file path:

C:\WINDOWS\system32\wkroqa.exe
C:\WINDOWS\system32\BYMSM136.DLL
C:\WINDOWS\system32\eapusr.dll
C:\WINDOWS\system32\ktnol7531.dll
C:\WINDOWS\SYSTEM32\hrno05~1.dll
C:\WINDOWS\SYSTEM32\kndest.dll
C:\WINDOWS\SYSTEM32\kt86l7~1.dll
C:\WINDOWS\SYSTEM32\sndll.dll
C:\WINDOWS\SYSTEM32\guard.tmp

Scan again with HijackThis and fix the folllowing:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\wkroqa.exe

Open VX2Finder and click on the Click to Find VX2... button.
The click the Open Regedit button. You will be taken straight to the Notify key

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]

Click the Notify key in the left column to expand and then right click and delete the following key:

ThemeManager

Close the registry editor.

REBOOT

Open VX2Finder and click on the Click to Find VX2... button.
Then click "User Agent$"
Then "Restore Desktop"

REBOOT into safe mode.

Open Ad-Aware, go to Add-ons, click the Tools tab and select VX2 Cleaner. Press the Run Tool button.

Reboot back into safe mode.

Run the VX2Cleaner plug in again and repeat, with reboots in between, until you are told that no VX2 files are found. Once you get that message run an AdAware scan and allow it to fix everything it finds.

Then run 3S as instructed earlier.

Now you can connect back to the internet. Run all those logs and post them back here. You can do the AdAware log in a seperate post.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#14 confusedinga

confusedinga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 14 December 2004 - 11:18 AM

HI Papakid,
None of those files were in the System32 folder. I don't want to go around deleting them with KillBox if you need them - let me know how to proceed.

THe computer's been performing much better since work began, however, the RUNDLL errors are back. Ugh!

And one more question - I'm pretty new at this, so I'm sorry if it's a silly question. The VX2Finder doesn't have a "Restore Desktop" button, it has a "Restore Policy" button. Everything else has been the same - just wanting to make sure I haven't downloaded the wrong thing.

Thanks!

#15 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 14 December 2004 - 11:53 AM

Good morning,
Never worry about if it's a silly question or not. That was my bad--it should be "restore policy" instead of "restore desktop".

However it is more important that you delete those files with KillBox rather than keeping them for me. It is important the entire procedure be done while offline (where indicated) and before rebooting (where indicated), otherwise the files will change and more malware could be added. So I'm thinking we will have to start over, although we seem to be making progress.

Go ahead and run AdAware as I've asked you to do, then send in the requested logs. We'll probably have different file names to try to delete. So if I'm understanding you correctly, you went thru the procedure but didn't delete these files with KillBox?

wkroqa.exe
BYMSM136.DLL
eapusr.dll
ktnol7531.dll

I need to know at what point you rebooted and when you came back online. May not matter tho when I see the logs, but I would like to know exactly what steps you took and what was left out.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users