Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log


  • Please log in to reply
11 replies to this topic

#1 krazychick214

krazychick214

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 14 December 2004 - 11:51 AM

Logfile of HijackThis v1.98.2
Scan saved at 10:50:24 AM, on 12/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINNT\System32\yaqvcc.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINNT\System32\qedlv.exe
C:\winnt\system32\saie.exe
C:\WINNT\System32\RUNDLL32.exe
C:\Program Files\CSBB\CSV7P070.exe
C:\WINNT\System32\winupdt.exe
C:\WINNT\System32\ckipfd.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\winupdt.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Netscape\Communicator\Program\netscape.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\amankiewicz\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ps5k3nP] qedlv.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [saie] c:\winnt\system32\saie.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdtl.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [yrgvgryt] C:\WINNT\yrgvgryt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [dhtixc] C:\WINNT\System32\dhtixc.exe
O4 - HKLM\..\Run: [ifdnmya] C:\WINNT\System32\ckipfd.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101911752140
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\Software\..\Telephony: DomainName = cam.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{790A3E61-E4F3-435D-B243-3ADB6BB7AC52}: NameServer = 192.168.1.3,192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cam.com



This is a work computer. I have run spybot, ad aware and spyware destroyer. There are still really annoying pop ups, even with a pop up blocker.

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:30 PM

Posted 15 December 2004 - 06:12 AM

Hi

Uninstall from Add\Remove Programs:
WinTools

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ps5k3nP] qedlv.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [saie] c:\winnt\system32\saie.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdtl.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [yrgvgryt] C:\WINNT\yrgvgryt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [dhtixc] C:\WINNT\System32\dhtixc.exe
O4 - HKLM\..\Run: [ifdnmya] C:\WINNT\System32\ckipfd.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
qedlv.exe <-- this file
C:\WINNT\System32\stcloader.exe <-- this file
c:\winnt\system32\saie.exe <-- this file
C:\WINNT\System32\winupdtl.exe <-- this file
C:\WINNT\yrgvgryt.exe <-- this file
C:\WINNT\System32\dhtixc.exe <-- this file
C:\WINNT\System32\ckipfd.exe <-- this file
C:\WINNT\conscorr.exe <-- this file

Delete these folders:
C:\Program Files\SurfSideKick 2\ <-- this folder
C:\Program Files\MySearch\ <-- this folder
C:\Program Files\Toolbar\ <-- this folder
C:\Program Files\AutoUpdate\ <-- this folder
C:\Program Files\CSBB\ <-- this folder
C:\Program Files\Web_Rebates\ <-- this folder
C:\Program Files\VBouncer\ <-- this folder
C:\Program Files\Common files\WinTools\ <-- this folder
C:\Program Files\AdDestroyer\ <-- this folder

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.

Download this ZIP file

and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Edited by cryo, 15 December 2004 - 06:19 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 krazychick214

krazychick214
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 15 December 2004 - 02:27 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
12/14/2004 04:28 PM 223,370 s2rslc971f.dll
01/09/2003 10:41 AM <DIR> Microsoft
1 File(s) 223,370 bytes
2 Dir(s) 33,537,011,712 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
01/09/2003 10:31 AM 488 logonui.exe.manifest
01/09/2003 10:31 AM 488 WindowsLogon.manifest
01/09/2003 10:31 AM 749 nwc.cpl.manifest
01/09/2003 10:31 AM 749 sapi.cpl.manifest
01/09/2003 10:31 AM 749 ncpa.cpl.manifest
01/09/2003 10:31 AM 749 wuaucpl.cpl.manifest
01/09/2003 10:31 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 33,537,007,616 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

09/22/2004 06:46 PM 20,480 setb5.tmp
09/22/2004 06:46 PM 20,480 setb4.tmp
08/04/2004 01:56 AM 29,696 SET340D.tmp
08/04/2004 01:56 AM 56,832 SET3330.tmp
08/04/2004 01:56 AM 33,280 SET33CC.tmp
08/04/2004 01:56 AM 206,848 SET31F1.tmp
08/04/2004 01:56 AM 32,768 SET3307.tmp
08/04/2004 01:56 AM 265,728 SET3413.tmp
08/04/2004 01:56 AM 23,552 SET31CB.tmp
08/04/2004 01:56 AM 17,408 SET33E4.tmp
08/04/2004 01:56 AM 14,336 SET3229.tmp
08/04/2004 01:56 AM 57,856 SET324A.tmp
08/04/2004 01:56 AM 502,272 SET319E.tmp
08/04/2004 01:56 AM 33,280 SET32A8.tmp
08/04/2004 01:56 AM 32,768 SET330C.tmp
08/04/2004 01:56 AM 69,632 SET3309.tmp
08/04/2004 01:56 AM 77,312 SET336F.tmp
08/04/2004 01:56 AM 13,312 SET33B8.tmp
08/04/2004 01:56 AM 6,144 SET3487.tmp
08/04/2004 01:56 AM 27,648 SET3494.tmp
08/04/2004 01:56 AM 656,384 SET31A4.tmp
08/04/2004 01:56 AM 67,584 SET31C4.tmp
08/04/2004 01:56 AM 276,480 SET31C6.tmp
08/04/2004 01:56 AM 99,328 SET318C.tmp
08/04/2004 01:56 AM 49,152 SET31CD.tmp
08/04/2004 01:56 AM 174,592 SET31D0.tmp
08/04/2004 01:56 AM 430,592 SET31D8.tmp
08/04/2004 01:56 AM 18,944 SET31D9.tmp
08/04/2004 01:56 AM 417,792 SET31DC.tmp
08/04/2004 01:56 AM 218,624 SET31E0.tmp
08/04/2004 01:56 AM 406,528 SET31E2.tmp
08/04/2004 01:56 AM 723,456 SET31E3.tmp
08/04/2004 01:56 AM 577,024 SET31E4.tmp
08/04/2004 01:56 AM 16,896 SET31E6.tmp
08/04/2004 01:56 AM 601,088 SET31E7.tmp
08/04/2004 01:56 AM 37,888 SET31E9.tmp
08/04/2004 01:56 AM 132,608 SET31EE.tmp
08/04/2004 01:56 AM 13,824 SET31EF.tmp
08/04/2004 01:56 AM 74,240 SET31F0.tmp
08/04/2004 01:56 AM 32,768 SET31A3.tmp
08/04/2004 01:56 AM 118,272 SET31F2.tmp
08/04/2004 01:56 AM 90,624 SET31FA.tmp
08/04/2004 01:56 AM 385,536 SET31FE.tmp
08/04/2004 01:56 AM 295,424 SET31FF.tmp
08/04/2004 01:56 AM 45,568 SET3204.tmp
08/04/2004 01:56 AM 14,848 SET3205.tmp
08/04/2004 01:56 AM 246,272 SET3207.tmp
08/04/2004 01:56 AM 181,760 SET3208.tmp
08/04/2004 01:56 AM 713,216 SET3224.tmp
08/04/2004 01:56 AM 53,760 SET3187.tmp
08/04/2004 01:56 AM 359,936 SET3102.tmp
08/04/2004 01:56 AM 18,432 SET310E.tmp
08/04/2004 01:56 AM 22,528 SET311B.tmp
08/04/2004 01:56 AM 42,496 SET3124.tmp
08/04/2004 01:56 AM 19,968 SET3125.tmp
08/04/2004 01:56 AM 351,232 SET417E.tmp
08/04/2004 01:56 AM 19,968 SET315D.tmp
08/04/2004 01:56 AM 176,640 SET3186.tmp
08/04/2004 01:56 AM 82,944 SET3165.tmp
08/04/2004 01:56 AM 264,192 SET3174.tmp
08/04/2004 01:56 AM 16,896 SET3190.tmp
08/04/2004 01:56 AM 290,816 SET3188.tmp
08/04/2004 01:56 AM 92,672 SET3183.tmp
08/04/2004 01:56 AM 172,032 SET3184.tmp
08/04/2004 01:56 AM 6,656 SET4178.tmp
08/04/2004 01:56 AM 176,128 SET319A.tmp
08/04/2004 01:56 AM 8,384,000 SET3267.tmp
08/04/2004 01:56 AM 121,856 SET3233.tmp
08/04/2004 01:56 AM 25,088 SET3266.tmp
08/04/2004 01:56 AM 71,680 SET323F.tmp
08/04/2004 01:56 AM 34,816 SET3240.tmp
08/04/2004 01:56 AM 170,496 SET3243.tmp
08/04/2004 01:56 AM 180,800 SET3247.tmp
08/04/2004 01:56 AM 442,368 SET3249.tmp
08/04/2004 01:56 AM 74,752 SET324B.tmp
08/04/2004 01:56 AM 18,944 SET324E.tmp
08/04/2004 01:56 AM 65,536 SET3264.tmp
08/04/2004 01:56 AM 134,656 SET325B.tmp
08/04/2004 01:56 AM 473,600 SET3262.tmp
08/04/2004 01:56 AM 1,483,264 SET3272.tmp
08/04/2004 01:56 AM 581,120 SET32B0.tmp
08/04/2004 01:56 AM 431,616 SET32B1.tmp
08/04/2004 01:56 AM 58,880 SET32B3.tmp
08/04/2004 01:56 AM 59,904 SET32B8.tmp
08/04/2004 01:56 AM 49,664 SET32B9.tmp
08/04/2004 01:56 AM 112,128 SET32C9.tmp
08/04/2004 01:56 AM 206,336 SET32CB.tmp
08/04/2004 01:56 AM 174,080 SET32CD.tmp
08/04/2004 01:56 AM 69,632 SET32CE.tmp
08/04/2004 01:56 AM 8,192 SET32CF.tmp
08/04/2004 01:56 AM 34,304 SET32DA.tmp
08/04/2004 01:56 AM 96,768 SET32DE.tmp
08/04/2004 01:56 AM 23,040 SET32DF.tmp
08/04/2004 01:56 AM 27,648 SET32E2.tmp
08/04/2004 01:56 AM 17,408 SET32E4.tmp
08/04/2004 01:56 AM 15,360 SET32E8.tmp
08/04/2004 01:56 AM 83,456 SET32F6.tmp
08/04/2004 01:56 AM 1,281,536 SET32F8.tmp
08/04/2004 01:56 AM 147,456 SET32FF.tmp
08/04/2004 01:56 AM 44,032 SET32A9.tmp
08/04/2004 01:56 AM 180,224 SET32A1.tmp
08/04/2004 01:56 AM 65,536 SET3304.tmp
08/04/2004 01:56 AM 65,536 SET3305.tmp
08/04/2004 01:56 AM 106,496 SET3306.tmp
08/04/2004 01:56 AM 313,856 SET329F.tmp
08/04/2004 01:56 AM 190,976 SET329E.tmp
08/04/2004 01:56 AM 135,168 SET330A.tmp
08/04/2004 01:56 AM 24,576 SET330B.tmp
08/04/2004 01:56 AM 18,944 SET3298.tmp
08/04/2004 01:56 AM 16,384 SET330D.tmp
08/04/2004 01:56 AM 249,856 SET330E.tmp
08/04/2004 01:56 AM 266,752 SET3311.tmp
08/04/2004 01:56 AM 143,872 SET3313.tmp
08/04/2004 01:56 AM 118,784 SET3318.tmp
08/04/2004 01:56 AM 43,520 SET3319.tmp
08/04/2004 01:56 AM 67,072 SET331A.tmp
08/04/2004 01:56 AM 248,832 SET331F.tmp
08/04/2004 01:56 AM 245,760 SET3320.tmp
08/04/2004 01:56 AM 80,896 SET3321.tmp
08/04/2004 01:56 AM 1,708,032 SET3323.tmp
08/04/2004 01:56 AM 12,288 SET3326.tmp
08/04/2004 01:56 AM 198,144 SET3328.tmp
08/04/2004 01:56 AM 407,040 SET3329.tmp
08/04/2004 01:56 AM 622,080 SET332C.tmp
08/04/2004 01:56 AM 332,288 SET332D.tmp
08/04/2004 01:56 AM 55,808 SET3296.tmp
08/04/2004 01:56 AM 17,920 SET3333.tmp
08/04/2004 01:56 AM 36,352 SET3334.tmp
08/04/2004 01:56 AM 90,112 SET3337.tmp
08/04/2004 01:56 AM 66,560 SET3338.tmp
08/04/2004 01:56 AM 1,236,480 SET333A.tmp
08/04/2004 01:56 AM 245,248 SET333F.tmp
08/04/2004 01:56 AM 38,912 SET328D.tmp
08/04/2004 01:56 AM 6,656 SET328B.tmp
08/04/2004 01:56 AM 140,288 SET327D.tmp
08/04/2004 01:56 AM 395,776 SET32AF.tmp
08/04/2004 01:56 AM 5,120 SET3280.tmp
08/04/2004 01:56 AM 143,360 SET335E.tmp
08/04/2004 01:56 AM 413,696 SET3348.tmp
08/04/2004 01:56 AM 44,032 SET336A.tmp
08/04/2004 01:56 AM 159,232 SET336B.tmp
08/04/2004 01:56 AM 115,712 SET334E.tmp
08/04/2004 01:56 AM 4,608 SET336D.tmp
08/04/2004 01:56 AM 331,264 SET336E.tmp
08/04/2004 01:56 AM 30,208 SET335C.tmp
08/04/2004 01:56 AM 6,656 SET3371.tmp
08/04/2004 01:56 AM 2,804,224 SET3373.tmp
08/04/2004 01:56 AM 448,512 SET3375.tmp
08/04/2004 01:56 AM 343,040 SET3347.tmp
08/04/2004 01:56 AM 3,003,392 SET3377.tmp
08/04/2004 01:56 AM 994,304 SET337B.tmp
08/04/2004 01:56 AM 151,552 SET3388.tmp
08/04/2004 01:56 AM 294,400 SET338A.tmp
08/04/2004 01:56 AM 36,864 SET338B.tmp
08/04/2004 01:56 AM 27,136 SET3472.tmp
08/04/2004 01:56 AM 57,344 SET3390.tmp
08/04/2004 01:56 AM 71,680 SET3395.tmp
08/04/2004 01:56 AM 87,040 SET3396.tmp
08/04/2004 01:56 AM 59,904 SET3397.tmp
08/04/2004 01:56 AM 266,240 SET3473.tmp
08/04/2004 01:56 AM 586,240 SET33A9.tmp
08/04/2004 01:56 AM 18,944 SET33AB.tmp
08/04/2004 01:56 AM 1,028,096 SET33AE.tmp
08/04/2004 01:56 AM 118,272 SET33B0.tmp
08/04/2004 01:56 AM 23,552 SET3455.tmp
08/04/2004 01:56 AM 22,016 SET33BA.tmp
08/04/2004 01:56 AM 18,944 SET33C1.tmp
08/04/2004 01:56 AM 8,704 SET3475.tmp
08/04/2004 01:56 AM 294,400 SET33CE.tmp
08/04/2004 01:56 AM 450,560 SET33D1.tmp
08/04/2004 01:56 AM 182,784 SET33DE.tmp
08/04/2004 01:56 AM 94,720 SET33E2.tmp
08/04/2004 01:56 AM 24,576 SET3480.tmp
08/04/2004 01:56 AM 75,264 SET33EC.tmp
08/04/2004 01:56 AM 110,080 SET33F1.tmp
08/04/2004 01:56 AM 35,840 SET33F2.tmp
08/04/2004 01:56 AM 249,344 SET33FC.tmp
08/04/2004 01:56 AM 148,480 SET3450.tmp
08/04/2004 01:56 AM 11,264 SET3407.tmp
08/04/2004 01:56 AM 344,064 SET340C.tmp
08/04/2004 01:56 AM 153,600 SET339D.tmp
08/04/2004 01:56 AM 20,992 SET340E.tmp
08/04/2004 01:56 AM 45,568 SET344F.tmp
08/04/2004 01:56 AM 14,336 SET343E.tmp
08/04/2004 01:56 AM 278,016 SET3417.tmp
08/04/2004 01:56 AM 55,808 SET3422.tmp
08/04/2004 01:56 AM 1,082,368 SET3424.tmp
08/04/2004 01:56 AM 243,200 SET3425.tmp
08/04/2004 01:56 AM 23,040 SET3426.tmp
08/04/2004 01:56 AM 201,728 SET3428.tmp
08/04/2004 01:56 AM 357,888 SET3429.tmp
08/04/2004 01:56 AM 57,856 SET34A3.tmp
08/04/2004 01:56 AM 101,888 SET34DF.tmp
08/04/2004 01:56 AM 143,360 SET34DC.tmp
08/04/2004 01:56 AM 99,840 SET34D9.tmp
08/04/2004 01:56 AM 126,976 SET34D4.tmp
08/04/2004 01:56 AM 58,880 SET34CF.tmp
08/04/2004 01:56 AM 42,496 SET34CB.tmp
08/04/2004 01:56 AM 56,832 SET34CA.tmp
08/04/2004 01:56 AM 52,736 SET34C2.tmp
08/04/2004 01:56 AM 28,672 SET34C1.tmp
08/04/2004 01:56 AM 326,656 SET3488.tmp
08/04/2004 01:56 AM 101,888 SET348A.tmp
08/04/2004 01:56 AM 512,512 SET348B.tmp
08/04/2004 01:56 AM 60,416 SET348C.tmp
08/04/2004 01:56 AM 63,488 SET348D.tmp
08/04/2004 01:56 AM 33,280 SET348F.tmp
08/04/2004 01:56 AM 597,504 SET3491.tmp
08/04/2004 01:56 AM 163,840 SET3492.tmp
08/04/2004 01:56 AM 77,312 SET34BC.tmp
08/04/2004 01:56 AM 1,251,840 SET3496.tmp
08/04/2004 01:56 AM 792,064 SET3497.tmp
08/04/2004 01:56 AM 62,464 SET349A.tmp
08/04/2004 01:56 AM 47,104 SET349B.tmp
08/04/2004 01:56 AM 1,016,832 SET34BB.tmp
08/04/2004 01:56 AM 501,248 SET34AA.tmp
08/04/2004 01:56 AM 59,904 SET34B9.tmp
08/04/2004 01:56 AM 194,560 SET34B1.tmp
08/04/2004 01:56 AM 194,048 SET34E1.tmp
08/04/2004 01:56 AM 5,632 SET3182.tmp
08/04/2004 01:56 AM 549,376 SET3273.tmp
08/04/2004 01:56 AM 12,288 SET3300.tmp
08/04/2004 01:56 AM 94,208 SET3303.tmp
08/04/2004 01:56 AM 20,480 SET335F.tmp
08/04/2004 01:56 AM 48,128 SET335A.tmp
08/04/2004 01:56 AM 884,736 SET336C.tmp
08/04/2004 01:56 AM 12,288 SET338C.tmp
08/04/2004 01:56 AM 3,584 SET3404.tmp
08/04/2004 01:56 AM 16,896 SET34AE.tmp
08/04/2004 01:55 AM 63,488 SET34BD.tmp
08/04/2004 01:55 AM 285,696 SET34CD.tmp
08/03/2004 11:31 PM 152,576 SET32AE.tmp
08/03/2004 11:31 PM 137,216 SET3434.tmp
08/03/2004 11:22 PM 526,848 SET3410.tmp
08/03/2004 11:21 PM 90,112 SET3248.tmp
08/03/2004 11:19 PM 1,351,168 SET3376.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
237 File(s) 61,529,681 bytes
0 Dir(s) 33,536,991,232 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FA3E7947-4A29-4A6E-A596-F9277C05899E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hUicon32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------




Hijack this analysis

Logfile of HijackThis v1.98.2
Scan saved at 1:26:37 PM, on 12/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\yaqvcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\amankiewicz\Desktop\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101911752140
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\Software\..\Telephony: DomainName = cam.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{790A3E61-E4F3-435D-B243-3ADB6BB7AC52}: NameServer = 192.168.1.3,192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cam.com


Here are the two logs...Some of the files when I went into safe mode that was said to delete were not there and I made sure I could see hidden files before I went into safe mode. It was both things in hijack this and files and folders in Winnt/system32.

Also, when I logged back on normally, the internet explorer homepage got set to about:blank. I don't know if that means anything.
Thanks for your help!

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:30 PM

Posted 15 December 2004 - 05:28 PM

Hi, sorry for this delay

Here is a revised removal method:


Download the Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\s2rslc971f.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.


Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.

Double-click on find.bat and post the new output.txt.

Run hijackthis.exe and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 krazychick214

krazychick214
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 16 December 2004 - 11:18 AM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
12/14/2004 04:28 PM 223,370 s2rslc971f.dll
01/09/2003 10:41 AM <DIR> Microsoft
1 File(s) 223,370 bytes
2 Dir(s) 33,536,008,192 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
01/09/2003 10:31 AM 488 logonui.exe.manifest
01/09/2003 10:31 AM 488 WindowsLogon.manifest
01/09/2003 10:31 AM 749 nwc.cpl.manifest
01/09/2003 10:31 AM 749 sapi.cpl.manifest
01/09/2003 10:31 AM 749 ncpa.cpl.manifest
01/09/2003 10:31 AM 749 wuaucpl.cpl.manifest
01/09/2003 10:31 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 33,536,008,192 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

09/22/2004 06:46 PM 20,480 setb5.tmp
09/22/2004 06:46 PM 20,480 setb4.tmp
08/04/2004 01:56 AM 29,696 SET340D.tmp
08/04/2004 01:56 AM 56,832 SET3330.tmp
08/04/2004 01:56 AM 33,280 SET33CC.tmp
08/04/2004 01:56 AM 206,848 SET31F1.tmp
08/04/2004 01:56 AM 32,768 SET3307.tmp
08/04/2004 01:56 AM 265,728 SET3413.tmp
08/04/2004 01:56 AM 23,552 SET31CB.tmp
08/04/2004 01:56 AM 17,408 SET33E4.tmp
08/04/2004 01:56 AM 14,336 SET3229.tmp
08/04/2004 01:56 AM 57,856 SET324A.tmp
08/04/2004 01:56 AM 502,272 SET319E.tmp
08/04/2004 01:56 AM 33,280 SET32A8.tmp
08/04/2004 01:56 AM 32,768 SET330C.tmp
08/04/2004 01:56 AM 69,632 SET3309.tmp
08/04/2004 01:56 AM 77,312 SET336F.tmp
08/04/2004 01:56 AM 13,312 SET33B8.tmp
08/04/2004 01:56 AM 6,144 SET3487.tmp
08/04/2004 01:56 AM 27,648 SET3494.tmp
08/04/2004 01:56 AM 656,384 SET31A4.tmp
08/04/2004 01:56 AM 67,584 SET31C4.tmp
08/04/2004 01:56 AM 276,480 SET31C6.tmp
08/04/2004 01:56 AM 99,328 SET318C.tmp
08/04/2004 01:56 AM 49,152 SET31CD.tmp
08/04/2004 01:56 AM 174,592 SET31D0.tmp
08/04/2004 01:56 AM 430,592 SET31D8.tmp
08/04/2004 01:56 AM 18,944 SET31D9.tmp
08/04/2004 01:56 AM 417,792 SET31DC.tmp
08/04/2004 01:56 AM 218,624 SET31E0.tmp
08/04/2004 01:56 AM 406,528 SET31E2.tmp
08/04/2004 01:56 AM 723,456 SET31E3.tmp
08/04/2004 01:56 AM 577,024 SET31E4.tmp
08/04/2004 01:56 AM 16,896 SET31E6.tmp
08/04/2004 01:56 AM 601,088 SET31E7.tmp
08/04/2004 01:56 AM 37,888 SET31E9.tmp
08/04/2004 01:56 AM 132,608 SET31EE.tmp
08/04/2004 01:56 AM 13,824 SET31EF.tmp
08/04/2004 01:56 AM 74,240 SET31F0.tmp
08/04/2004 01:56 AM 32,768 SET31A3.tmp
08/04/2004 01:56 AM 118,272 SET31F2.tmp
08/04/2004 01:56 AM 90,624 SET31FA.tmp
08/04/2004 01:56 AM 385,536 SET31FE.tmp
08/04/2004 01:56 AM 295,424 SET31FF.tmp
08/04/2004 01:56 AM 45,568 SET3204.tmp
08/04/2004 01:56 AM 14,848 SET3205.tmp
08/04/2004 01:56 AM 246,272 SET3207.tmp
08/04/2004 01:56 AM 181,760 SET3208.tmp
08/04/2004 01:56 AM 713,216 SET3224.tmp
08/04/2004 01:56 AM 53,760 SET3187.tmp
08/04/2004 01:56 AM 359,936 SET3102.tmp
08/04/2004 01:56 AM 18,432 SET310E.tmp
08/04/2004 01:56 AM 22,528 SET311B.tmp
08/04/2004 01:56 AM 42,496 SET3124.tmp
08/04/2004 01:56 AM 19,968 SET3125.tmp
08/04/2004 01:56 AM 351,232 SET417E.tmp
08/04/2004 01:56 AM 19,968 SET315D.tmp
08/04/2004 01:56 AM 176,640 SET3186.tmp
08/04/2004 01:56 AM 82,944 SET3165.tmp
08/04/2004 01:56 AM 264,192 SET3174.tmp
08/04/2004 01:56 AM 16,896 SET3190.tmp
08/04/2004 01:56 AM 290,816 SET3188.tmp
08/04/2004 01:56 AM 92,672 SET3183.tmp
08/04/2004 01:56 AM 172,032 SET3184.tmp
08/04/2004 01:56 AM 6,656 SET4178.tmp
08/04/2004 01:56 AM 176,128 SET319A.tmp
08/04/2004 01:56 AM 8,384,000 SET3267.tmp
08/04/2004 01:56 AM 121,856 SET3233.tmp
08/04/2004 01:56 AM 25,088 SET3266.tmp
08/04/2004 01:56 AM 71,680 SET323F.tmp
08/04/2004 01:56 AM 34,816 SET3240.tmp
08/04/2004 01:56 AM 170,496 SET3243.tmp
08/04/2004 01:56 AM 180,800 SET3247.tmp
08/04/2004 01:56 AM 442,368 SET3249.tmp
08/04/2004 01:56 AM 74,752 SET324B.tmp
08/04/2004 01:56 AM 18,944 SET324E.tmp
08/04/2004 01:56 AM 65,536 SET3264.tmp
08/04/2004 01:56 AM 134,656 SET325B.tmp
08/04/2004 01:56 AM 473,600 SET3262.tmp
08/04/2004 01:56 AM 1,483,264 SET3272.tmp
08/04/2004 01:56 AM 581,120 SET32B0.tmp
08/04/2004 01:56 AM 431,616 SET32B1.tmp
08/04/2004 01:56 AM 58,880 SET32B3.tmp
08/04/2004 01:56 AM 59,904 SET32B8.tmp
08/04/2004 01:56 AM 49,664 SET32B9.tmp
08/04/2004 01:56 AM 112,128 SET32C9.tmp
08/04/2004 01:56 AM 206,336 SET32CB.tmp
08/04/2004 01:56 AM 174,080 SET32CD.tmp
08/04/2004 01:56 AM 69,632 SET32CE.tmp
08/04/2004 01:56 AM 8,192 SET32CF.tmp
08/04/2004 01:56 AM 34,304 SET32DA.tmp
08/04/2004 01:56 AM 96,768 SET32DE.tmp
08/04/2004 01:56 AM 23,040 SET32DF.tmp
08/04/2004 01:56 AM 27,648 SET32E2.tmp
08/04/2004 01:56 AM 17,408 SET32E4.tmp
08/04/2004 01:56 AM 15,360 SET32E8.tmp
08/04/2004 01:56 AM 83,456 SET32F6.tmp
08/04/2004 01:56 AM 1,281,536 SET32F8.tmp
08/04/2004 01:56 AM 147,456 SET32FF.tmp
08/04/2004 01:56 AM 44,032 SET32A9.tmp
08/04/2004 01:56 AM 180,224 SET32A1.tmp
08/04/2004 01:56 AM 65,536 SET3304.tmp
08/04/2004 01:56 AM 65,536 SET3305.tmp
08/04/2004 01:56 AM 106,496 SET3306.tmp
08/04/2004 01:56 AM 313,856 SET329F.tmp
08/04/2004 01:56 AM 190,976 SET329E.tmp
08/04/2004 01:56 AM 135,168 SET330A.tmp
08/04/2004 01:56 AM 24,576 SET330B.tmp
08/04/2004 01:56 AM 18,944 SET3298.tmp
08/04/2004 01:56 AM 16,384 SET330D.tmp
08/04/2004 01:56 AM 249,856 SET330E.tmp
08/04/2004 01:56 AM 266,752 SET3311.tmp
08/04/2004 01:56 AM 143,872 SET3313.tmp
08/04/2004 01:56 AM 118,784 SET3318.tmp
08/04/2004 01:56 AM 43,520 SET3319.tmp
08/04/2004 01:56 AM 67,072 SET331A.tmp
08/04/2004 01:56 AM 248,832 SET331F.tmp
08/04/2004 01:56 AM 245,760 SET3320.tmp
08/04/2004 01:56 AM 80,896 SET3321.tmp
08/04/2004 01:56 AM 1,708,032 SET3323.tmp
08/04/2004 01:56 AM 12,288 SET3326.tmp
08/04/2004 01:56 AM 198,144 SET3328.tmp
08/04/2004 01:56 AM 407,040 SET3329.tmp
08/04/2004 01:56 AM 622,080 SET332C.tmp
08/04/2004 01:56 AM 332,288 SET332D.tmp
08/04/2004 01:56 AM 55,808 SET3296.tmp
08/04/2004 01:56 AM 17,920 SET3333.tmp
08/04/2004 01:56 AM 36,352 SET3334.tmp
08/04/2004 01:56 AM 90,112 SET3337.tmp
08/04/2004 01:56 AM 66,560 SET3338.tmp
08/04/2004 01:56 AM 1,236,480 SET333A.tmp
08/04/2004 01:56 AM 245,248 SET333F.tmp
08/04/2004 01:56 AM 38,912 SET328D.tmp
08/04/2004 01:56 AM 6,656 SET328B.tmp
08/04/2004 01:56 AM 140,288 SET327D.tmp
08/04/2004 01:56 AM 395,776 SET32AF.tmp
08/04/2004 01:56 AM 5,120 SET3280.tmp
08/04/2004 01:56 AM 143,360 SET335E.tmp
08/04/2004 01:56 AM 413,696 SET3348.tmp
08/04/2004 01:56 AM 44,032 SET336A.tmp
08/04/2004 01:56 AM 159,232 SET336B.tmp
08/04/2004 01:56 AM 115,712 SET334E.tmp
08/04/2004 01:56 AM 4,608 SET336D.tmp
08/04/2004 01:56 AM 331,264 SET336E.tmp
08/04/2004 01:56 AM 30,208 SET335C.tmp
08/04/2004 01:56 AM 6,656 SET3371.tmp
08/04/2004 01:56 AM 2,804,224 SET3373.tmp
08/04/2004 01:56 AM 448,512 SET3375.tmp
08/04/2004 01:56 AM 343,040 SET3347.tmp
08/04/2004 01:56 AM 3,003,392 SET3377.tmp
08/04/2004 01:56 AM 994,304 SET337B.tmp
08/04/2004 01:56 AM 151,552 SET3388.tmp
08/04/2004 01:56 AM 294,400 SET338A.tmp
08/04/2004 01:56 AM 36,864 SET338B.tmp
08/04/2004 01:56 AM 27,136 SET3472.tmp
08/04/2004 01:56 AM 57,344 SET3390.tmp
08/04/2004 01:56 AM 71,680 SET3395.tmp
08/04/2004 01:56 AM 87,040 SET3396.tmp
08/04/2004 01:56 AM 59,904 SET3397.tmp
08/04/2004 01:56 AM 266,240 SET3473.tmp
08/04/2004 01:56 AM 586,240 SET33A9.tmp
08/04/2004 01:56 AM 18,944 SET33AB.tmp
08/04/2004 01:56 AM 1,028,096 SET33AE.tmp
08/04/2004 01:56 AM 118,272 SET33B0.tmp
08/04/2004 01:56 AM 23,552 SET3455.tmp
08/04/2004 01:56 AM 22,016 SET33BA.tmp
08/04/2004 01:56 AM 18,944 SET33C1.tmp
08/04/2004 01:56 AM 8,704 SET3475.tmp
08/04/2004 01:56 AM 294,400 SET33CE.tmp
08/04/2004 01:56 AM 450,560 SET33D1.tmp
08/04/2004 01:56 AM 182,784 SET33DE.tmp
08/04/2004 01:56 AM 94,720 SET33E2.tmp
08/04/2004 01:56 AM 24,576 SET3480.tmp
08/04/2004 01:56 AM 75,264 SET33EC.tmp
08/04/2004 01:56 AM 110,080 SET33F1.tmp
08/04/2004 01:56 AM 35,840 SET33F2.tmp
08/04/2004 01:56 AM 249,344 SET33FC.tmp
08/04/2004 01:56 AM 148,480 SET3450.tmp
08/04/2004 01:56 AM 11,264 SET3407.tmp
08/04/2004 01:56 AM 344,064 SET340C.tmp
08/04/2004 01:56 AM 153,600 SET339D.tmp
08/04/2004 01:56 AM 20,992 SET340E.tmp
08/04/2004 01:56 AM 45,568 SET344F.tmp
08/04/2004 01:56 AM 14,336 SET343E.tmp
08/04/2004 01:56 AM 278,016 SET3417.tmp
08/04/2004 01:56 AM 55,808 SET3422.tmp
08/04/2004 01:56 AM 1,082,368 SET3424.tmp
08/04/2004 01:56 AM 243,200 SET3425.tmp
08/04/2004 01:56 AM 23,040 SET3426.tmp
08/04/2004 01:56 AM 201,728 SET3428.tmp
08/04/2004 01:56 AM 357,888 SET3429.tmp
08/04/2004 01:56 AM 57,856 SET34A3.tmp
08/04/2004 01:56 AM 101,888 SET34DF.tmp
08/04/2004 01:56 AM 143,360 SET34DC.tmp
08/04/2004 01:56 AM 99,840 SET34D9.tmp
08/04/2004 01:56 AM 126,976 SET34D4.tmp
08/04/2004 01:56 AM 58,880 SET34CF.tmp
08/04/2004 01:56 AM 42,496 SET34CB.tmp
08/04/2004 01:56 AM 56,832 SET34CA.tmp
08/04/2004 01:56 AM 52,736 SET34C2.tmp
08/04/2004 01:56 AM 28,672 SET34C1.tmp
08/04/2004 01:56 AM 326,656 SET3488.tmp
08/04/2004 01:56 AM 101,888 SET348A.tmp
08/04/2004 01:56 AM 512,512 SET348B.tmp
08/04/2004 01:56 AM 60,416 SET348C.tmp
08/04/2004 01:56 AM 63,488 SET348D.tmp
08/04/2004 01:56 AM 33,280 SET348F.tmp
08/04/2004 01:56 AM 597,504 SET3491.tmp
08/04/2004 01:56 AM 163,840 SET3492.tmp
08/04/2004 01:56 AM 77,312 SET34BC.tmp
08/04/2004 01:56 AM 1,251,840 SET3496.tmp
08/04/2004 01:56 AM 792,064 SET3497.tmp
08/04/2004 01:56 AM 62,464 SET349A.tmp
08/04/2004 01:56 AM 47,104 SET349B.tmp
08/04/2004 01:56 AM 1,016,832 SET34BB.tmp
08/04/2004 01:56 AM 501,248 SET34AA.tmp
08/04/2004 01:56 AM 59,904 SET34B9.tmp
08/04/2004 01:56 AM 194,560 SET34B1.tmp
08/04/2004 01:56 AM 194,048 SET34E1.tmp
08/04/2004 01:56 AM 5,632 SET3182.tmp
08/04/2004 01:56 AM 549,376 SET3273.tmp
08/04/2004 01:56 AM 12,288 SET3300.tmp
08/04/2004 01:56 AM 94,208 SET3303.tmp
08/04/2004 01:56 AM 20,480 SET335F.tmp
08/04/2004 01:56 AM 48,128 SET335A.tmp
08/04/2004 01:56 AM 884,736 SET336C.tmp
08/04/2004 01:56 AM 12,288 SET338C.tmp
08/04/2004 01:56 AM 3,584 SET3404.tmp
08/04/2004 01:56 AM 16,896 SET34AE.tmp
08/04/2004 01:55 AM 63,488 SET34BD.tmp
08/04/2004 01:55 AM 285,696 SET34CD.tmp
08/03/2004 11:31 PM 152,576 SET32AE.tmp
08/03/2004 11:31 PM 137,216 SET3434.tmp
08/03/2004 11:22 PM 526,848 SET3410.tmp
08/03/2004 11:21 PM 90,112 SET3248.tmp
08/03/2004 11:19 PM 1,351,168 SET3376.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
237 File(s) 61,529,681 bytes
0 Dir(s) 33,535,991,808 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FA3E7947-4A29-4A6E-A596-F9277C05899E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hUicon32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------



Logfile of HijackThis v1.98.2
Scan saved at 10:18:32 AM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\yaqvcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\amankiewicz\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101911752140
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\Software\..\Telephony: DomainName = cam.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{790A3E61-E4F3-435D-B243-3ADB6BB7AC52}: NameServer = 192.168.1.3,192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cam.com

Thanks again for all your help!

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:30 PM

Posted 16 December 2004 - 11:51 AM

Please repeat the steps and use Killbox to delete the files. The same files are still there.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 krazychick214

krazychick214
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 16 December 2004 - 01:10 PM

Is my computer supposed to reboot after I click yes on the second file? It doesn't reboot, and I am wondering if that is why the files are still there.

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:30 PM

Posted 16 December 2004 - 01:19 PM

Is my computer supposed to reboot after I click yes on the second file?

Yes.

It doesn't reboot

Help him :thumbsup: - click Start --> Restart

Run hijackthis again, find.bat and post the logs.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 krazychick214

krazychick214
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 16 December 2004 - 01:48 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
12/14/2004 04:28 PM 223,370 s2rslc971f.dll
01/09/2003 10:41 AM <DIR> Microsoft
1 File(s) 223,370 bytes
2 Dir(s) 33,533,452,288 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
01/09/2003 10:31 AM 488 logonui.exe.manifest
01/09/2003 10:31 AM 488 WindowsLogon.manifest
01/09/2003 10:31 AM 749 nwc.cpl.manifest
01/09/2003 10:31 AM 749 sapi.cpl.manifest
01/09/2003 10:31 AM 749 ncpa.cpl.manifest
01/09/2003 10:31 AM 749 wuaucpl.cpl.manifest
01/09/2003 10:31 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 33,533,452,288 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

09/22/2004 06:46 PM 20,480 setb5.tmp
09/22/2004 06:46 PM 20,480 setb4.tmp
08/04/2004 01:56 AM 29,696 SET340D.tmp
08/04/2004 01:56 AM 56,832 SET3330.tmp
08/04/2004 01:56 AM 33,280 SET33CC.tmp
08/04/2004 01:56 AM 206,848 SET31F1.tmp
08/04/2004 01:56 AM 32,768 SET3307.tmp
08/04/2004 01:56 AM 265,728 SET3413.tmp
08/04/2004 01:56 AM 23,552 SET31CB.tmp
08/04/2004 01:56 AM 17,408 SET33E4.tmp
08/04/2004 01:56 AM 14,336 SET3229.tmp
08/04/2004 01:56 AM 57,856 SET324A.tmp
08/04/2004 01:56 AM 502,272 SET319E.tmp
08/04/2004 01:56 AM 33,280 SET32A8.tmp
08/04/2004 01:56 AM 32,768 SET330C.tmp
08/04/2004 01:56 AM 69,632 SET3309.tmp
08/04/2004 01:56 AM 77,312 SET336F.tmp
08/04/2004 01:56 AM 13,312 SET33B8.tmp
08/04/2004 01:56 AM 6,144 SET3487.tmp
08/04/2004 01:56 AM 27,648 SET3494.tmp
08/04/2004 01:56 AM 656,384 SET31A4.tmp
08/04/2004 01:56 AM 67,584 SET31C4.tmp
08/04/2004 01:56 AM 276,480 SET31C6.tmp
08/04/2004 01:56 AM 99,328 SET318C.tmp
08/04/2004 01:56 AM 49,152 SET31CD.tmp
08/04/2004 01:56 AM 174,592 SET31D0.tmp
08/04/2004 01:56 AM 430,592 SET31D8.tmp
08/04/2004 01:56 AM 18,944 SET31D9.tmp
08/04/2004 01:56 AM 417,792 SET31DC.tmp
08/04/2004 01:56 AM 218,624 SET31E0.tmp
08/04/2004 01:56 AM 406,528 SET31E2.tmp
08/04/2004 01:56 AM 723,456 SET31E3.tmp
08/04/2004 01:56 AM 577,024 SET31E4.tmp
08/04/2004 01:56 AM 16,896 SET31E6.tmp
08/04/2004 01:56 AM 601,088 SET31E7.tmp
08/04/2004 01:56 AM 37,888 SET31E9.tmp
08/04/2004 01:56 AM 132,608 SET31EE.tmp
08/04/2004 01:56 AM 13,824 SET31EF.tmp
08/04/2004 01:56 AM 74,240 SET31F0.tmp
08/04/2004 01:56 AM 32,768 SET31A3.tmp
08/04/2004 01:56 AM 118,272 SET31F2.tmp
08/04/2004 01:56 AM 90,624 SET31FA.tmp
08/04/2004 01:56 AM 385,536 SET31FE.tmp
08/04/2004 01:56 AM 295,424 SET31FF.tmp
08/04/2004 01:56 AM 45,568 SET3204.tmp
08/04/2004 01:56 AM 14,848 SET3205.tmp
08/04/2004 01:56 AM 246,272 SET3207.tmp
08/04/2004 01:56 AM 181,760 SET3208.tmp
08/04/2004 01:56 AM 713,216 SET3224.tmp
08/04/2004 01:56 AM 53,760 SET3187.tmp
08/04/2004 01:56 AM 359,936 SET3102.tmp
08/04/2004 01:56 AM 18,432 SET310E.tmp
08/04/2004 01:56 AM 22,528 SET311B.tmp
08/04/2004 01:56 AM 42,496 SET3124.tmp
08/04/2004 01:56 AM 19,968 SET3125.tmp
08/04/2004 01:56 AM 351,232 SET417E.tmp
08/04/2004 01:56 AM 19,968 SET315D.tmp
08/04/2004 01:56 AM 176,640 SET3186.tmp
08/04/2004 01:56 AM 82,944 SET3165.tmp
08/04/2004 01:56 AM 264,192 SET3174.tmp
08/04/2004 01:56 AM 16,896 SET3190.tmp
08/04/2004 01:56 AM 290,816 SET3188.tmp
08/04/2004 01:56 AM 92,672 SET3183.tmp
08/04/2004 01:56 AM 172,032 SET3184.tmp
08/04/2004 01:56 AM 6,656 SET4178.tmp
08/04/2004 01:56 AM 176,128 SET319A.tmp
08/04/2004 01:56 AM 8,384,000 SET3267.tmp
08/04/2004 01:56 AM 121,856 SET3233.tmp
08/04/2004 01:56 AM 25,088 SET3266.tmp
08/04/2004 01:56 AM 71,680 SET323F.tmp
08/04/2004 01:56 AM 34,816 SET3240.tmp
08/04/2004 01:56 AM 170,496 SET3243.tmp
08/04/2004 01:56 AM 180,800 SET3247.tmp
08/04/2004 01:56 AM 442,368 SET3249.tmp
08/04/2004 01:56 AM 74,752 SET324B.tmp
08/04/2004 01:56 AM 18,944 SET324E.tmp
08/04/2004 01:56 AM 65,536 SET3264.tmp
08/04/2004 01:56 AM 134,656 SET325B.tmp
08/04/2004 01:56 AM 473,600 SET3262.tmp
08/04/2004 01:56 AM 1,483,264 SET3272.tmp
08/04/2004 01:56 AM 581,120 SET32B0.tmp
08/04/2004 01:56 AM 431,616 SET32B1.tmp
08/04/2004 01:56 AM 58,880 SET32B3.tmp
08/04/2004 01:56 AM 59,904 SET32B8.tmp
08/04/2004 01:56 AM 49,664 SET32B9.tmp
08/04/2004 01:56 AM 112,128 SET32C9.tmp
08/04/2004 01:56 AM 206,336 SET32CB.tmp
08/04/2004 01:56 AM 174,080 SET32CD.tmp
08/04/2004 01:56 AM 69,632 SET32CE.tmp
08/04/2004 01:56 AM 8,192 SET32CF.tmp
08/04/2004 01:56 AM 34,304 SET32DA.tmp
08/04/2004 01:56 AM 96,768 SET32DE.tmp
08/04/2004 01:56 AM 23,040 SET32DF.tmp
08/04/2004 01:56 AM 27,648 SET32E2.tmp
08/04/2004 01:56 AM 17,408 SET32E4.tmp
08/04/2004 01:56 AM 15,360 SET32E8.tmp
08/04/2004 01:56 AM 83,456 SET32F6.tmp
08/04/2004 01:56 AM 1,281,536 SET32F8.tmp
08/04/2004 01:56 AM 147,456 SET32FF.tmp
08/04/2004 01:56 AM 44,032 SET32A9.tmp
08/04/2004 01:56 AM 180,224 SET32A1.tmp
08/04/2004 01:56 AM 65,536 SET3304.tmp
08/04/2004 01:56 AM 65,536 SET3305.tmp
08/04/2004 01:56 AM 106,496 SET3306.tmp
08/04/2004 01:56 AM 313,856 SET329F.tmp
08/04/2004 01:56 AM 190,976 SET329E.tmp
08/04/2004 01:56 AM 135,168 SET330A.tmp
08/04/2004 01:56 AM 24,576 SET330B.tmp
08/04/2004 01:56 AM 18,944 SET3298.tmp
08/04/2004 01:56 AM 16,384 SET330D.tmp
08/04/2004 01:56 AM 249,856 SET330E.tmp
08/04/2004 01:56 AM 266,752 SET3311.tmp
08/04/2004 01:56 AM 143,872 SET3313.tmp
08/04/2004 01:56 AM 118,784 SET3318.tmp
08/04/2004 01:56 AM 43,520 SET3319.tmp
08/04/2004 01:56 AM 67,072 SET331A.tmp
08/04/2004 01:56 AM 248,832 SET331F.tmp
08/04/2004 01:56 AM 245,760 SET3320.tmp
08/04/2004 01:56 AM 80,896 SET3321.tmp
08/04/2004 01:56 AM 1,708,032 SET3323.tmp
08/04/2004 01:56 AM 12,288 SET3326.tmp
08/04/2004 01:56 AM 198,144 SET3328.tmp
08/04/2004 01:56 AM 407,040 SET3329.tmp
08/04/2004 01:56 AM 622,080 SET332C.tmp
08/04/2004 01:56 AM 332,288 SET332D.tmp
08/04/2004 01:56 AM 55,808 SET3296.tmp
08/04/2004 01:56 AM 17,920 SET3333.tmp
08/04/2004 01:56 AM 36,352 SET3334.tmp
08/04/2004 01:56 AM 90,112 SET3337.tmp
08/04/2004 01:56 AM 66,560 SET3338.tmp
08/04/2004 01:56 AM 1,236,480 SET333A.tmp
08/04/2004 01:56 AM 245,248 SET333F.tmp
08/04/2004 01:56 AM 38,912 SET328D.tmp
08/04/2004 01:56 AM 6,656 SET328B.tmp
08/04/2004 01:56 AM 140,288 SET327D.tmp
08/04/2004 01:56 AM 395,776 SET32AF.tmp
08/04/2004 01:56 AM 5,120 SET3280.tmp
08/04/2004 01:56 AM 143,360 SET335E.tmp
08/04/2004 01:56 AM 413,696 SET3348.tmp
08/04/2004 01:56 AM 44,032 SET336A.tmp
08/04/2004 01:56 AM 159,232 SET336B.tmp
08/04/2004 01:56 AM 115,712 SET334E.tmp
08/04/2004 01:56 AM 4,608 SET336D.tmp
08/04/2004 01:56 AM 331,264 SET336E.tmp
08/04/2004 01:56 AM 30,208 SET335C.tmp
08/04/2004 01:56 AM 6,656 SET3371.tmp
08/04/2004 01:56 AM 2,804,224 SET3373.tmp
08/04/2004 01:56 AM 448,512 SET3375.tmp
08/04/2004 01:56 AM 343,040 SET3347.tmp
08/04/2004 01:56 AM 3,003,392 SET3377.tmp
08/04/2004 01:56 AM 994,304 SET337B.tmp
08/04/2004 01:56 AM 151,552 SET3388.tmp
08/04/2004 01:56 AM 294,400 SET338A.tmp
08/04/2004 01:56 AM 36,864 SET338B.tmp
08/04/2004 01:56 AM 27,136 SET3472.tmp
08/04/2004 01:56 AM 57,344 SET3390.tmp
08/04/2004 01:56 AM 71,680 SET3395.tmp
08/04/2004 01:56 AM 87,040 SET3396.tmp
08/04/2004 01:56 AM 59,904 SET3397.tmp
08/04/2004 01:56 AM 266,240 SET3473.tmp
08/04/2004 01:56 AM 586,240 SET33A9.tmp
08/04/2004 01:56 AM 18,944 SET33AB.tmp
08/04/2004 01:56 AM 1,028,096 SET33AE.tmp
08/04/2004 01:56 AM 118,272 SET33B0.tmp
08/04/2004 01:56 AM 23,552 SET3455.tmp
08/04/2004 01:56 AM 22,016 SET33BA.tmp
08/04/2004 01:56 AM 18,944 SET33C1.tmp
08/04/2004 01:56 AM 8,704 SET3475.tmp
08/04/2004 01:56 AM 294,400 SET33CE.tmp
08/04/2004 01:56 AM 450,560 SET33D1.tmp
08/04/2004 01:56 AM 182,784 SET33DE.tmp
08/04/2004 01:56 AM 94,720 SET33E2.tmp
08/04/2004 01:56 AM 24,576 SET3480.tmp
08/04/2004 01:56 AM 75,264 SET33EC.tmp
08/04/2004 01:56 AM 110,080 SET33F1.tmp
08/04/2004 01:56 AM 35,840 SET33F2.tmp
08/04/2004 01:56 AM 249,344 SET33FC.tmp
08/04/2004 01:56 AM 148,480 SET3450.tmp
08/04/2004 01:56 AM 11,264 SET3407.tmp
08/04/2004 01:56 AM 344,064 SET340C.tmp
08/04/2004 01:56 AM 153,600 SET339D.tmp
08/04/2004 01:56 AM 20,992 SET340E.tmp
08/04/2004 01:56 AM 45,568 SET344F.tmp
08/04/2004 01:56 AM 14,336 SET343E.tmp
08/04/2004 01:56 AM 278,016 SET3417.tmp
08/04/2004 01:56 AM 55,808 SET3422.tmp
08/04/2004 01:56 AM 1,082,368 SET3424.tmp
08/04/2004 01:56 AM 243,200 SET3425.tmp
08/04/2004 01:56 AM 23,040 SET3426.tmp
08/04/2004 01:56 AM 201,728 SET3428.tmp
08/04/2004 01:56 AM 357,888 SET3429.tmp
08/04/2004 01:56 AM 57,856 SET34A3.tmp
08/04/2004 01:56 AM 101,888 SET34DF.tmp
08/04/2004 01:56 AM 143,360 SET34DC.tmp
08/04/2004 01:56 AM 99,840 SET34D9.tmp
08/04/2004 01:56 AM 126,976 SET34D4.tmp
08/04/2004 01:56 AM 58,880 SET34CF.tmp
08/04/2004 01:56 AM 42,496 SET34CB.tmp
08/04/2004 01:56 AM 56,832 SET34CA.tmp
08/04/2004 01:56 AM 52,736 SET34C2.tmp
08/04/2004 01:56 AM 28,672 SET34C1.tmp
08/04/2004 01:56 AM 326,656 SET3488.tmp
08/04/2004 01:56 AM 101,888 SET348A.tmp
08/04/2004 01:56 AM 512,512 SET348B.tmp
08/04/2004 01:56 AM 60,416 SET348C.tmp
08/04/2004 01:56 AM 63,488 SET348D.tmp
08/04/2004 01:56 AM 33,280 SET348F.tmp
08/04/2004 01:56 AM 597,504 SET3491.tmp
08/04/2004 01:56 AM 163,840 SET3492.tmp
08/04/2004 01:56 AM 77,312 SET34BC.tmp
08/04/2004 01:56 AM 1,251,840 SET3496.tmp
08/04/2004 01:56 AM 792,064 SET3497.tmp
08/04/2004 01:56 AM 62,464 SET349A.tmp
08/04/2004 01:56 AM 47,104 SET349B.tmp
08/04/2004 01:56 AM 1,016,832 SET34BB.tmp
08/04/2004 01:56 AM 501,248 SET34AA.tmp
08/04/2004 01:56 AM 59,904 SET34B9.tmp
08/04/2004 01:56 AM 194,560 SET34B1.tmp
08/04/2004 01:56 AM 194,048 SET34E1.tmp
08/04/2004 01:56 AM 5,632 SET3182.tmp
08/04/2004 01:56 AM 549,376 SET3273.tmp
08/04/2004 01:56 AM 12,288 SET3300.tmp
08/04/2004 01:56 AM 94,208 SET3303.tmp
08/04/2004 01:56 AM 20,480 SET335F.tmp
08/04/2004 01:56 AM 48,128 SET335A.tmp
08/04/2004 01:56 AM 884,736 SET336C.tmp
08/04/2004 01:56 AM 12,288 SET338C.tmp
08/04/2004 01:56 AM 3,584 SET3404.tmp
08/04/2004 01:56 AM 16,896 SET34AE.tmp
08/04/2004 01:55 AM 63,488 SET34BD.tmp
08/04/2004 01:55 AM 285,696 SET34CD.tmp
08/03/2004 11:31 PM 152,576 SET32AE.tmp
08/03/2004 11:31 PM 137,216 SET3434.tmp
08/03/2004 11:22 PM 526,848 SET3410.tmp
08/03/2004 11:21 PM 90,112 SET3248.tmp
08/03/2004 11:19 PM 1,351,168 SET3376.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
237 File(s) 61,529,681 bytes
0 Dir(s) 33,533,435,904 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FA3E7947-4A29-4A6E-A596-F9277C05899E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hUicon32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


Logfile of HijackThis v1.98.2
Scan saved at 12:48:27 PM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\yaqvcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\amankiewicz\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\8d224a8639d0d3cd94106bd72168312a\update\update.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101911752140
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\Software\..\Telephony: DomainName = cam.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{790A3E61-E4F3-435D-B243-3ADB6BB7AC52}: NameServer = 192.168.1.3,192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cam.com



:thumbsup:

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:30 PM

Posted 17 December 2004 - 04:15 AM

Hi,

The same file is there and this situation is very strange.

Please repeat the steps and use Killbox to delete the files:

Double-click on KillBox.exe.
Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\s2rslc971f.dll

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.


Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "Yes" at the Pending Operations prompt to restart your computer.

Double-click on find.bat and post the new output.txt.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 krazychick214

krazychick214
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 17 December 2004 - 12:52 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
12/14/2004 04:28 PM 223,370 s2rslc971f.dll
01/09/2003 10:41 AM <DIR> Microsoft
1 File(s) 223,370 bytes
2 Dir(s) 33,550,417,920 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

12/15/2004 10:35 AM <DIR> dllcache
01/09/2003 10:31 AM 488 logonui.exe.manifest
01/09/2003 10:31 AM 488 WindowsLogon.manifest
01/09/2003 10:31 AM 749 nwc.cpl.manifest
01/09/2003 10:31 AM 749 sapi.cpl.manifest
01/09/2003 10:31 AM 749 ncpa.cpl.manifest
01/09/2003 10:31 AM 749 wuaucpl.cpl.manifest
01/09/2003 10:31 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 33,550,417,920 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 0C7A-D9F2

Directory of C:\WINNT\System32

09/22/2004 06:46 PM 20,480 setb5.tmp
09/22/2004 06:46 PM 20,480 setb4.tmp
08/04/2004 01:56 AM 29,696 SET340D.tmp
08/04/2004 01:56 AM 56,832 SET3330.tmp
08/04/2004 01:56 AM 33,280 SET33CC.tmp
08/04/2004 01:56 AM 206,848 SET31F1.tmp
08/04/2004 01:56 AM 32,768 SET3307.tmp
08/04/2004 01:56 AM 265,728 SET3413.tmp
08/04/2004 01:56 AM 23,552 SET31CB.tmp
08/04/2004 01:56 AM 17,408 SET33E4.tmp
08/04/2004 01:56 AM 14,336 SET3229.tmp
08/04/2004 01:56 AM 57,856 SET324A.tmp
08/04/2004 01:56 AM 502,272 SET319E.tmp
08/04/2004 01:56 AM 33,280 SET32A8.tmp
08/04/2004 01:56 AM 32,768 SET330C.tmp
08/04/2004 01:56 AM 69,632 SET3309.tmp
08/04/2004 01:56 AM 77,312 SET336F.tmp
08/04/2004 01:56 AM 13,312 SET33B8.tmp
08/04/2004 01:56 AM 6,144 SET3487.tmp
08/04/2004 01:56 AM 27,648 SET3494.tmp
08/04/2004 01:56 AM 656,384 SET31A4.tmp
08/04/2004 01:56 AM 67,584 SET31C4.tmp
08/04/2004 01:56 AM 276,480 SET31C6.tmp
08/04/2004 01:56 AM 99,328 SET318C.tmp
08/04/2004 01:56 AM 49,152 SET31CD.tmp
08/04/2004 01:56 AM 174,592 SET31D0.tmp
08/04/2004 01:56 AM 430,592 SET31D8.tmp
08/04/2004 01:56 AM 18,944 SET31D9.tmp
08/04/2004 01:56 AM 417,792 SET31DC.tmp
08/04/2004 01:56 AM 218,624 SET31E0.tmp
08/04/2004 01:56 AM 406,528 SET31E2.tmp
08/04/2004 01:56 AM 723,456 SET31E3.tmp
08/04/2004 01:56 AM 577,024 SET31E4.tmp
08/04/2004 01:56 AM 16,896 SET31E6.tmp
08/04/2004 01:56 AM 601,088 SET31E7.tmp
08/04/2004 01:56 AM 37,888 SET31E9.tmp
08/04/2004 01:56 AM 132,608 SET31EE.tmp
08/04/2004 01:56 AM 13,824 SET31EF.tmp
08/04/2004 01:56 AM 74,240 SET31F0.tmp
08/04/2004 01:56 AM 32,768 SET31A3.tmp
08/04/2004 01:56 AM 118,272 SET31F2.tmp
08/04/2004 01:56 AM 90,624 SET31FA.tmp
08/04/2004 01:56 AM 385,536 SET31FE.tmp
08/04/2004 01:56 AM 295,424 SET31FF.tmp
08/04/2004 01:56 AM 45,568 SET3204.tmp
08/04/2004 01:56 AM 14,848 SET3205.tmp
08/04/2004 01:56 AM 246,272 SET3207.tmp
08/04/2004 01:56 AM 181,760 SET3208.tmp
08/04/2004 01:56 AM 713,216 SET3224.tmp
08/04/2004 01:56 AM 53,760 SET3187.tmp
08/04/2004 01:56 AM 359,936 SET3102.tmp
08/04/2004 01:56 AM 18,432 SET310E.tmp
08/04/2004 01:56 AM 22,528 SET311B.tmp
08/04/2004 01:56 AM 42,496 SET3124.tmp
08/04/2004 01:56 AM 19,968 SET3125.tmp
08/04/2004 01:56 AM 351,232 SET417E.tmp
08/04/2004 01:56 AM 19,968 SET315D.tmp
08/04/2004 01:56 AM 176,640 SET3186.tmp
08/04/2004 01:56 AM 82,944 SET3165.tmp
08/04/2004 01:56 AM 264,192 SET3174.tmp
08/04/2004 01:56 AM 16,896 SET3190.tmp
08/04/2004 01:56 AM 290,816 SET3188.tmp
08/04/2004 01:56 AM 92,672 SET3183.tmp
08/04/2004 01:56 AM 172,032 SET3184.tmp
08/04/2004 01:56 AM 6,656 SET4178.tmp
08/04/2004 01:56 AM 176,128 SET319A.tmp
08/04/2004 01:56 AM 8,384,000 SET3267.tmp
08/04/2004 01:56 AM 121,856 SET3233.tmp
08/04/2004 01:56 AM 25,088 SET3266.tmp
08/04/2004 01:56 AM 71,680 SET323F.tmp
08/04/2004 01:56 AM 34,816 SET3240.tmp
08/04/2004 01:56 AM 170,496 SET3243.tmp
08/04/2004 01:56 AM 180,800 SET3247.tmp
08/04/2004 01:56 AM 442,368 SET3249.tmp
08/04/2004 01:56 AM 74,752 SET324B.tmp
08/04/2004 01:56 AM 18,944 SET324E.tmp
08/04/2004 01:56 AM 65,536 SET3264.tmp
08/04/2004 01:56 AM 134,656 SET325B.tmp
08/04/2004 01:56 AM 473,600 SET3262.tmp
08/04/2004 01:56 AM 1,483,264 SET3272.tmp
08/04/2004 01:56 AM 581,120 SET32B0.tmp
08/04/2004 01:56 AM 431,616 SET32B1.tmp
08/04/2004 01:56 AM 58,880 SET32B3.tmp
08/04/2004 01:56 AM 59,904 SET32B8.tmp
08/04/2004 01:56 AM 49,664 SET32B9.tmp
08/04/2004 01:56 AM 112,128 SET32C9.tmp
08/04/2004 01:56 AM 206,336 SET32CB.tmp
08/04/2004 01:56 AM 174,080 SET32CD.tmp
08/04/2004 01:56 AM 69,632 SET32CE.tmp
08/04/2004 01:56 AM 8,192 SET32CF.tmp
08/04/2004 01:56 AM 34,304 SET32DA.tmp
08/04/2004 01:56 AM 96,768 SET32DE.tmp
08/04/2004 01:56 AM 23,040 SET32DF.tmp
08/04/2004 01:56 AM 27,648 SET32E2.tmp
08/04/2004 01:56 AM 17,408 SET32E4.tmp
08/04/2004 01:56 AM 15,360 SET32E8.tmp
08/04/2004 01:56 AM 83,456 SET32F6.tmp
08/04/2004 01:56 AM 1,281,536 SET32F8.tmp
08/04/2004 01:56 AM 147,456 SET32FF.tmp
08/04/2004 01:56 AM 44,032 SET32A9.tmp
08/04/2004 01:56 AM 180,224 SET32A1.tmp
08/04/2004 01:56 AM 65,536 SET3304.tmp
08/04/2004 01:56 AM 65,536 SET3305.tmp
08/04/2004 01:56 AM 106,496 SET3306.tmp
08/04/2004 01:56 AM 313,856 SET329F.tmp
08/04/2004 01:56 AM 190,976 SET329E.tmp
08/04/2004 01:56 AM 135,168 SET330A.tmp
08/04/2004 01:56 AM 24,576 SET330B.tmp
08/04/2004 01:56 AM 18,944 SET3298.tmp
08/04/2004 01:56 AM 16,384 SET330D.tmp
08/04/2004 01:56 AM 249,856 SET330E.tmp
08/04/2004 01:56 AM 266,752 SET3311.tmp
08/04/2004 01:56 AM 143,872 SET3313.tmp
08/04/2004 01:56 AM 118,784 SET3318.tmp
08/04/2004 01:56 AM 43,520 SET3319.tmp
08/04/2004 01:56 AM 67,072 SET331A.tmp
08/04/2004 01:56 AM 248,832 SET331F.tmp
08/04/2004 01:56 AM 245,760 SET3320.tmp
08/04/2004 01:56 AM 80,896 SET3321.tmp
08/04/2004 01:56 AM 1,708,032 SET3323.tmp
08/04/2004 01:56 AM 12,288 SET3326.tmp
08/04/2004 01:56 AM 198,144 SET3328.tmp
08/04/2004 01:56 AM 407,040 SET3329.tmp
08/04/2004 01:56 AM 622,080 SET332C.tmp
08/04/2004 01:56 AM 332,288 SET332D.tmp
08/04/2004 01:56 AM 55,808 SET3296.tmp
08/04/2004 01:56 AM 17,920 SET3333.tmp
08/04/2004 01:56 AM 36,352 SET3334.tmp
08/04/2004 01:56 AM 90,112 SET3337.tmp
08/04/2004 01:56 AM 66,560 SET3338.tmp
08/04/2004 01:56 AM 1,236,480 SET333A.tmp
08/04/2004 01:56 AM 245,248 SET333F.tmp
08/04/2004 01:56 AM 38,912 SET328D.tmp
08/04/2004 01:56 AM 6,656 SET328B.tmp
08/04/2004 01:56 AM 140,288 SET327D.tmp
08/04/2004 01:56 AM 395,776 SET32AF.tmp
08/04/2004 01:56 AM 5,120 SET3280.tmp
08/04/2004 01:56 AM 143,360 SET335E.tmp
08/04/2004 01:56 AM 413,696 SET3348.tmp
08/04/2004 01:56 AM 44,032 SET336A.tmp
08/04/2004 01:56 AM 159,232 SET336B.tmp
08/04/2004 01:56 AM 115,712 SET334E.tmp
08/04/2004 01:56 AM 4,608 SET336D.tmp
08/04/2004 01:56 AM 331,264 SET336E.tmp
08/04/2004 01:56 AM 30,208 SET335C.tmp
08/04/2004 01:56 AM 6,656 SET3371.tmp
08/04/2004 01:56 AM 2,804,224 SET3373.tmp
08/04/2004 01:56 AM 448,512 SET3375.tmp
08/04/2004 01:56 AM 343,040 SET3347.tmp
08/04/2004 01:56 AM 3,003,392 SET3377.tmp
08/04/2004 01:56 AM 994,304 SET337B.tmp
08/04/2004 01:56 AM 151,552 SET3388.tmp
08/04/2004 01:56 AM 294,400 SET338A.tmp
08/04/2004 01:56 AM 36,864 SET338B.tmp
08/04/2004 01:56 AM 27,136 SET3472.tmp
08/04/2004 01:56 AM 57,344 SET3390.tmp
08/04/2004 01:56 AM 71,680 SET3395.tmp
08/04/2004 01:56 AM 87,040 SET3396.tmp
08/04/2004 01:56 AM 59,904 SET3397.tmp
08/04/2004 01:56 AM 266,240 SET3473.tmp
08/04/2004 01:56 AM 586,240 SET33A9.tmp
08/04/2004 01:56 AM 18,944 SET33AB.tmp
08/04/2004 01:56 AM 1,028,096 SET33AE.tmp
08/04/2004 01:56 AM 118,272 SET33B0.tmp
08/04/2004 01:56 AM 23,552 SET3455.tmp
08/04/2004 01:56 AM 22,016 SET33BA.tmp
08/04/2004 01:56 AM 18,944 SET33C1.tmp
08/04/2004 01:56 AM 8,704 SET3475.tmp
08/04/2004 01:56 AM 294,400 SET33CE.tmp
08/04/2004 01:56 AM 450,560 SET33D1.tmp
08/04/2004 01:56 AM 182,784 SET33DE.tmp
08/04/2004 01:56 AM 94,720 SET33E2.tmp
08/04/2004 01:56 AM 24,576 SET3480.tmp
08/04/2004 01:56 AM 75,264 SET33EC.tmp
08/04/2004 01:56 AM 110,080 SET33F1.tmp
08/04/2004 01:56 AM 35,840 SET33F2.tmp
08/04/2004 01:56 AM 249,344 SET33FC.tmp
08/04/2004 01:56 AM 148,480 SET3450.tmp
08/04/2004 01:56 AM 11,264 SET3407.tmp
08/04/2004 01:56 AM 344,064 SET340C.tmp
08/04/2004 01:56 AM 153,600 SET339D.tmp
08/04/2004 01:56 AM 20,992 SET340E.tmp
08/04/2004 01:56 AM 45,568 SET344F.tmp
08/04/2004 01:56 AM 14,336 SET343E.tmp
08/04/2004 01:56 AM 278,016 SET3417.tmp
08/04/2004 01:56 AM 55,808 SET3422.tmp
08/04/2004 01:56 AM 1,082,368 SET3424.tmp
08/04/2004 01:56 AM 243,200 SET3425.tmp
08/04/2004 01:56 AM 23,040 SET3426.tmp
08/04/2004 01:56 AM 201,728 SET3428.tmp
08/04/2004 01:56 AM 357,888 SET3429.tmp
08/04/2004 01:56 AM 57,856 SET34A3.tmp
08/04/2004 01:56 AM 101,888 SET34DF.tmp
08/04/2004 01:56 AM 143,360 SET34DC.tmp
08/04/2004 01:56 AM 99,840 SET34D9.tmp
08/04/2004 01:56 AM 126,976 SET34D4.tmp
08/04/2004 01:56 AM 58,880 SET34CF.tmp
08/04/2004 01:56 AM 42,496 SET34CB.tmp
08/04/2004 01:56 AM 56,832 SET34CA.tmp
08/04/2004 01:56 AM 52,736 SET34C2.tmp
08/04/2004 01:56 AM 28,672 SET34C1.tmp
08/04/2004 01:56 AM 326,656 SET3488.tmp
08/04/2004 01:56 AM 101,888 SET348A.tmp
08/04/2004 01:56 AM 512,512 SET348B.tmp
08/04/2004 01:56 AM 60,416 SET348C.tmp
08/04/2004 01:56 AM 63,488 SET348D.tmp
08/04/2004 01:56 AM 33,280 SET348F.tmp
08/04/2004 01:56 AM 597,504 SET3491.tmp
08/04/2004 01:56 AM 163,840 SET3492.tmp
08/04/2004 01:56 AM 77,312 SET34BC.tmp
08/04/2004 01:56 AM 1,251,840 SET3496.tmp
08/04/2004 01:56 AM 792,064 SET3497.tmp
08/04/2004 01:56 AM 62,464 SET349A.tmp
08/04/2004 01:56 AM 47,104 SET349B.tmp
08/04/2004 01:56 AM 1,016,832 SET34BB.tmp
08/04/2004 01:56 AM 501,248 SET34AA.tmp
08/04/2004 01:56 AM 59,904 SET34B9.tmp
08/04/2004 01:56 AM 194,560 SET34B1.tmp
08/04/2004 01:56 AM 194,048 SET34E1.tmp
08/04/2004 01:56 AM 5,632 SET3182.tmp
08/04/2004 01:56 AM 549,376 SET3273.tmp
08/04/2004 01:56 AM 12,288 SET3300.tmp
08/04/2004 01:56 AM 94,208 SET3303.tmp
08/04/2004 01:56 AM 20,480 SET335F.tmp
08/04/2004 01:56 AM 48,128 SET335A.tmp
08/04/2004 01:56 AM 884,736 SET336C.tmp
08/04/2004 01:56 AM 12,288 SET338C.tmp
08/04/2004 01:56 AM 3,584 SET3404.tmp
08/04/2004 01:56 AM 16,896 SET34AE.tmp
08/04/2004 01:55 AM 63,488 SET34BD.tmp
08/04/2004 01:55 AM 285,696 SET34CD.tmp
08/03/2004 11:31 PM 152,576 SET32AE.tmp
08/03/2004 11:31 PM 137,216 SET3434.tmp
08/03/2004 11:22 PM 526,848 SET3410.tmp
08/03/2004 11:21 PM 90,112 SET3248.tmp
08/03/2004 11:19 PM 1,351,168 SET3376.tmp
08/29/2002 06:00 AM 2,577 CONFIG.TMP
237 File(s) 61,529,681 bytes
0 Dir(s) 33,550,401,536 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FA3E7947-4A29-4A6E-A596-F9277C05899E}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hUicon32.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


This time, when I clicked "yes" to the restart option, the program did it itself. Maybe that had something to do with it?



Logfile of HijackThis v1.98.2
Scan saved at 11:52:52 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\yaqvcc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\amankiewicz\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101911752140
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\Software\..\Telephony: DomainName = cam.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{790A3E61-E4F3-435D-B243-3ADB6BB7AC52}: NameServer = 192.168.1.3,192.168.1.254
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cam.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cam.com

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:30 PM

Posted 19 December 2004 - 10:19 AM

I don't understand. You killed the same file several times and it is still there :thumbsup:

A. Recycle bin is damaged. Let Windows to repair it.

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
c:\recycler

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot. Check if the recycle bin is OK. Create an empty TXT file and delete it. Please report back.

B. Restore user agent string

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FA3E7947-4A29-4A6E-A596-F9277C05899E}"=-


Double-click on the fix.reg file on your desktop, and when it prompts to merge say Yes, and this will repair some registry entries.

C. Restore Policy
Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe
Run Vx2Finder and click on the Restore Policy button.

Run again find.bat and hijackthis and post both logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users