Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help diagnose my comp


  • Please log in to reply
36 replies to this topic

#1 emrinder

emrinder

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 19 December 2004 - 02:46 PM

here is my log
Logfile of HijackThis v1.99.0
Scan saved at 2:45:47 PM, on 12/19/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.buldog-search.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.buldog-search.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.netsetter.com/gencfg.asp?i...p=1&nsv=5.1.0.4
O1 - Hosts: 69.50.188.82 google.com
O1 - Hosts: 69.50.188.82 altavista.com
O1 - Hosts: 69.50.188.82 www.altavista.com
O1 - Hosts: 69.50.188.82 msn.com
O1 - Hosts: 69.50.188.82 www.msn.com
O1 - Hosts: 69.50.188.82 search.msn.com
O1 - Hosts: 69.50.188.82 search.yahoo.com
O1 - Hosts: 69.50.188.82 yahoo.com
O1 - Hosts: 69.50.188.82 www.yahoo.com
O1 - Hosts: 69.50.188.82 search.aol.com
O1 - Hosts: 69.50.188.82 askjeeves.com
O1 - Hosts: 69.50.188.82 www.askjeeves.com
O1 - Hosts: 69.50.188.82 www.directhit.com
O1 - Hosts: 69.50.188.82 directhit.com
O1 - Hosts: 69.50.188.82 www.excite.com
O1 - Hosts: 69.50.188.82 excite.com
O1 - Hosts: 69.50.188.82 alltheweb.com
O1 - Hosts: 69.50.188.82 www.alltheweb.com
O1 - Hosts: 69.50.188.82 go.com
O1 - Hosts: 69.50.188.82 www.go.com
O1 - Hosts: 69.50.188.82 goto.com
O1 - Hosts: 69.50.188.82 www.goto.com
O1 - Hosts: 69.50.188.82 hotbot.com
O1 - Hosts: 69.50.188.82 www.hotbot.com
O1 - Hosts: 69.50.188.82 lycos.com
O1 - Hosts: 69.50.188.82 www.lycos.com
O1 - Hosts: 69.50.188.82 dmoz.org
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Meca] C:\Program Files\MECA\Meca.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - HKCU\..\Run: [MSAgent] C:\WINNT\hhnt.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINNT\System32\crt32_v2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DAA6382-0A7B-46C9-BBAB-20BEDFFACEA5}: NameServer = 64.136.28.120 64.136.20.120
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DAA6382-0A7B-46C9-BBAB-20BEDFFACEA5}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

BC AdBot (Login to Remove)

 


#2 emrinder

emrinder
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 19 December 2004 - 09:52 PM

CWS Shredder "removes" the bootconf variant but keeps coming back, and when online ads showup and files are downloaded periodically



Logfile of HijackThis v1.99.0
Scan saved at 9:50:31 PM, on 12/19/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.netsetter.com/gencfg.asp?i...p=1&nsv=5.1.0.4
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Meca] C:\Program Files\MECA\Meca.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SysTime] C:\WINNT\System32\systime.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DAA6382-0A7B-46C9-BBAB-20BEDFFACEA5}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DAA6382-0A7B-46C9-BBAB-20BEDFFACEA5}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DAA6382-0A7B-46C9-BBAB-20BEDFFACEA5}: NameServer = 64.136.20.121 64.136.28.121
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe

#3 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:57 PM

Posted 20 December 2004 - 07:08 AM

[Edited]

Edited by cryo, 20 December 2004 - 05:37 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:57 PM

Posted 20 December 2004 - 05:39 PM

emrinder

Do not create a new topic for your log. This will cause confusion and a delay in the help you are receiving.


Download Find It NT-2K-XP.zip.

Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.


When responding to a post from one of our HJT Team members, please reply in the same topic - click the Add Reply button.

Edited by cryo, 20 December 2004 - 05:39 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 emrinder

emrinder
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 20 December 2004 - 09:22 PM

find it generated a folder with many different notepad files which file should i post

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:57 PM

Posted 21 December 2004 - 06:27 AM

Please read carefully my above message.

Run find.bat again and post the output.txt.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 emrinder

emrinder
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 21 December 2004 - 07:38 PM

here is the find it output.txt

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\

------- System Files in System32 Directory -------
Volume in drive C is NAMEK
Volume Serial Number is 1B36-19EA

Directory of C:\WINNT\System32

12/21/2004 07:18p 223,835 mnslgn32.dll
12/21/2004 07:18p 224,867 f2l0lc3m1f.dll
12/21/2004 06:59p 224,274 lvl4093qe.dll
12/20/2004 10:17p 223,835 gpn0l35m1.dll
12/19/2004 09:11p 223,835 tQpi.dll
12/19/2004 09:11p 224,196 dn6o01j3e.dll
12/19/2004 09:05p 223,999 j46m0ej1eho.dll
12/19/2004 08:48p 225,571 m6lslg3716.dll
12/19/2004 08:48p 223,835 jkmd400.dll
12/19/2004 08:31p 224,835 c000ladm1d0a.dll
12/19/2004 07:06p 225,658 gp28l3fu1.dll
12/19/2004 06:43p 223,835 fp0603dse.dll
12/19/2004 05:12p 223,232 ksdes.dll
12/19/2004 02:29p 223,232 lvl2093oe.dll
12/19/2004 02:01p 223,232 mjcomput.dll
12/18/2004 09:02p 223,232 k608lgdu1608.dll
12/18/2004 06:35p 223,232 ir0ml5d11.dll
12/18/2004 04:44p 225,163 enlul1391.dll
12/18/2004 03:50p 223,232 ravpmsg.dll
12/18/2004 03:50p 224,057 hr2805fue.dll
12/18/2004 03:32p 223,232 hepertrm.dll
12/18/2004 03:32p 224,492 k062lajo1doc.dll
12/17/2004 09:10p 223,232 fp6u03j9e.dll
09/26/2000 07:52p <DIR> dllcache
06/21/2000 03:23p 87,552 hirc.ocx
06/21/2000 03:23p 45,568 hidentd.ocx
03/21/2000 12:55a 118,784 vbalNCSM6.dll
03/06/2000 10:02p 23,040 inimnger10.ocx
02/26/2000 01:40p 139,264 vbalLBar6.ocx
02/26/2000 12:51p 94,208 vbalIml6.ocx
01/19/2000 01:56a 26,544 hlinkctrl.ocx
02/19/1999 08:54a 40,960 SSUBTMR6.DLL
03/18/1998 04:45p 8,096 OLEGUIDS.TLB
32 File(s) 5,736,159 bytes
1 Dir(s) 10,464,018,432 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is NAMEK
Volume Serial Number is 1B36-19EA

Directory of C:\WINNT\System32

02/27/2002 05:06p 8,628 CMMGR32.GID
04/07/2001 05:02p 591 ws512492.ocx
12/07/2000 04:51p 51,200 PackethSvc.exe
10/19/2000 06:21p 552 ws689312.ocx
09/26/2000 08:08p <DIR> GroupPolicy
09/26/2000 08:01p 271 desktop.ini
09/26/2000 08:01p 21,692 folder.htt
09/26/2000 07:52p <DIR> dllcache
6 File(s) 82,934 bytes
2 Dir(s) 10,464,002,048 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is NAMEK
Volume Serial Number is 1B36-19EA

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is NAMEK
Volume Serial Number is 1B36-19EA

Directory of C:\WINNT\System32

12/07/1999 12:00p 2,577 CONFIG.TMP
07/11/1995 09:50a 30,976 compobj.dll.tmp
2 File(s) 33,553 bytes
0 Dir(s) 10,463,969,280 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{89F60F6A-BA7B-4330-8ACC-D3ED10B4D845}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\fp0603dse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

C:\WINNT\SYSTEM32\
ksdes.dll Sun Dec 19 2004 5:12:44p ..S.R 223,232 218.00 K
mjcomput.dll Sun Dec 19 2004 2:01:24p ..S.R 223,232 218.00 K
mnslgn32.dll Tue Dec 21 2004 7:18:08p ..S.R 223,835 218.59 K
jkmd400.dll Sun Dec 19 2004 8:48:34p ..S.R 223,835 218.59 K
fp6u03~1.dll Fri Dec 17 2004 9:10:08p ..S.R 223,232 218.00 K
hepertrm.dll Sat Dec 18 2004 3:32:40p ..S.R 223,232 218.00 K
ravpmsg.dll Sat Dec 18 2004 3:50:24p ..S.R 223,232 218.00 K
k062la~1.dll Sat Dec 18 2004 3:32:40p ..S.R 224,492 219.23 K
enlul1~1.dll Sat Dec 18 2004 4:44:40p ..S.R 225,163 219.88 K
ir0ml5~1.dll Sat Dec 18 2004 6:35:24p ..S.R 223,232 218.00 K
hr2805~1.dll Sat Dec 18 2004 3:50:24p ..S.R 224,057 218.80 K
lvl209~1.dll Sun Dec 19 2004 2:29:24p ..S.R 223,232 218.00 K
k608lg~1.dll Sat Dec 18 2004 9:02:50p ..S.R 223,232 218.00 K
fp0603~1.dll Sun Dec 19 2004 6:43:04p ..S.R 223,835 218.59 K
gp28l3~1.dll Sun Dec 19 2004 7:06:10p ..S.R 225,658 220.37 K
c000la~1.dll Sun Dec 19 2004 8:31:36p ..S.R 224,835 219.56 K
m6lslg~1.dll Sun Dec 19 2004 8:48:34p ..S.R 225,571 220.28 K
j46m0e~1.dll Sun Dec 19 2004 9:05:16p ..S.R 223,999 218.75 K
dn6o01~1.dll Sun Dec 19 2004 9:11:50p ..S.R 224,196 218.94 K
tqpi.dll Sun Dec 19 2004 9:11:50p ..S.R 223,835 218.59 K
gpn0l3~1.dll Mon Dec 20 2004 10:17:52p ..S.R 223,835 218.59 K
lvl409~1.dll Tue Dec 21 2004 6:59:40p ..S.R 224,274 219.02 K
f2l0lc~1.dll Tue Dec 21 2004 7:18:08p ..S.R 224,867 219.59 K

23 items found: 23 files, 0 directories.
Total of file sizes: 5,152,143 bytes 4.91 M

------------ Strings.exe Qoologic Results ------------

C:\WINNT\system32\pav.sig: Qoologic
C:\WINNT\system32\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINNT\system32\pav.sig: AsPack
C:\WINNT\system32\in10b6s.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"RFX_auto_upgrade"=""
"NPS Event Checker"="C:\\PROGRA~1\\Navnt\\npscheck.exe"
"LoadQM"="loadqm.exe"
"Lexmark X74-X75"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#8 emrinder

emrinder
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 22 December 2004 - 07:26 PM

posted above is the find it log

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:57 PM

Posted 23 December 2004 - 03:48 AM

I'm sorry. I had problems with my internet connection. Did you reboot your computer ? If you did post please a new find.bat log (output.txt).
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 emrinder

emrinder
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 23 December 2004 - 12:42 PM

no problem i didnt log off i hibernated but i'll reboot and post a new log

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:57 PM

Posted 23 December 2004 - 12:44 PM

Yes, post please a new one :thumbsup:.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 emrinder

emrinder
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 23 December 2004 - 06:50 PM

i got this error message trying to make a new log

Please disregard any "File Not Found" messages,
they are a normal part of the search process.

File Not Found
'LOCATE' is not recognized as an internal or external command,
operable program or batch file.

Beginning Strings.exe search...this portion of the search
can take several minutes, please allow it to run until
the log appears.
'strings.exe' is not recognized as an internal or external command,
operable program or batch file.

#13 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:57 PM

Posted 23 December 2004 - 07:31 PM

Did you unzip ALL three files to a folder like c:\findit ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#14 emrinder

emrinder
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 23 December 2004 - 09:06 PM

yes i did and i rebooted and unzipped them again it said the same thing

#15 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:57 PM

Posted 25 December 2004 - 05:23 AM

Hi :thumbsup:

copy autoexec.nt from C:\WINNT\repair\ folder to C:\WINNT\system32\ folder.

Run find.bat again and post the output.txt
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users