Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis lor file please help


  • Please log in to reply
22 replies to this topic

#1 role2682

role2682

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 20 December 2004 - 11:39 PM

Logfile of HijackThis v1.99.0
Scan saved at 11:35:22 AM, on 12/20/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094158972562
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:14 PM

Posted 23 December 2004 - 04:49 AM

Hi

Download Find It NT-2K-XP.zip.

Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 role2682

role2682
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 24 December 2004 - 10:43 AM

here is my find it output.txt file

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findfit\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/22/2004 10:14 PM 225,983 m0nq0a55ed.dll
12/22/2004 10:13 PM 226,000 jtj0071me.dll
12/20/2004 12:19 PM 225,983 kldal.dll
12/20/2004 11:26 AM <DIR> dllcache
12/16/2004 03:06 AM 223,139 l88mlil118q.dll
12/16/2004 01:20 AM 223,139 cxmpatUI.dll
12/16/2004 01:06 AM 225,071 nvdsapi.dll
12/16/2004 12:47 AM 223,194 mwsign32.dll
12/14/2004 06:54 PM 226,177 fpn2035oe.dll
12/14/2004 06:50 PM 223,210 jr0025dmg.dll
12/14/2004 05:59 PM 226,026 d20m0cd1ef0.dll
12/14/2004 12:15 AM 225,235 o684lglq16qe.dll
08/06/2003 03:49 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/10/1999 08:34 AM 123,664 msjint35.dll
06/10/1999 08:34 AM 24,848 msjter35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 252,176 Msrd2x35.dll
04/25/1999 04:00 PM 368,912 Vbar332.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
22 File(s) 5,834,869 bytes
2 Dir(s) 17,564,979,200 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/20/2004 11:26 AM <DIR> dllcache
12/14/2004 07:47 PM 488 logonui.exe.manifest
12/14/2004 07:47 PM 488 WindowsLogon.manifest
12/14/2004 07:47 PM 749 nwc.cpl.manifest
12/14/2004 07:47 PM 749 sapi.cpl.manifest
12/14/2004 07:47 PM 749 ncpa.cpl.manifest
12/14/2004 07:47 PM 749 wuaucpl.cpl.manifest
12/14/2004 07:47 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 17,564,979,200 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/24/2004 09:17 AM 226,000 guard.tmp
1 File(s) 226,000 bytes
0 Dir(s) 17,564,979,200 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/24/2004 09:17 AM 226,000 guard.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
06/17/1998 10:00 PM 378,128 expsrv.dll.tmp
3 File(s) 606,705 bytes
0 Dir(s) 17,564,975,104 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{60BF94EC-28C3-40C5-B4F8-0F9D3B346E89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtj0071me.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
cxmpatui.dll Thu Dec 16 2004 1:20:22a ..S.R 223,139 217.91 K
d20m0c~1.dll Tue Dec 14 2004 5:59:36p A.S.R 226,026 220.73 K
fpn203~1.dll Tue Dec 14 2004 6:54:38p A.S.R 226,177 220.88 K
jr0025~1.dll Tue Dec 14 2004 6:50:08p A.S.R 223,210 217.98 K
jtj007~1.dll Wed Dec 22 2004 10:13:20p ..S.R 226,000 220.70 K
kldal.dll Mon Dec 20 2004 12:19:54p ..S.R 225,983 220.68 K
l88mli~1.dll Thu Dec 16 2004 3:06:16a ..S.R 223,139 217.91 K
logonu~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
m0nq0a~1.dll Wed Dec 22 2004 10:14:20p ..S.R 225,983 220.68 K
mwsign32.dll Thu Dec 16 2004 12:47:28a ..S.R 223,194 217.96 K
ncpacp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
nvdsapi.dll Thu Dec 16 2004 1:06:48a ..S.R 225,071 219.79 K
nwccpl~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
o684lg~1.dll Tue Dec 14 2004 12:15:54a A.S.R 225,235 219.95 K
sapicp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
window~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
wuaucp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K

18 items found: 18 files, 0 directories.
Total of file sizes: 2,477,878 bytes 2.36 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Ad-watch"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe\""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"Ad-aware"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe\" +c"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""


thanks for the help

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:14 PM

Posted 24 December 2004 - 10:51 AM

Hi

Download KillBox here: KillBox. Unzip it to your desktop.

Disconnect from the internet.


Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


Select the Delete on reboot option.

Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System32\m0nq0a55ed.dll

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Repeat steps above for these files:

C:\WINDOWS\System32\jtj0071me.dll

C:\WINDOWS\System32\kldal.dll

C:\WINDOWS\System32\l88mlil118q.dll

C:\WINDOWS\System32\cxmpatUI.dll

C:\WINDOWS\System32\nvdsapi.dll

C:\WINDOWS\System32\mwsign32.dll

C:\WINDOWS\System32\fpn2035oe.dll

C:\WINDOWS\System32\jr0025dmg.dll

C:\WINDOWS\System32\d20m0cd1ef0.dll

C:\WINDOWS\System32\o684lglq16qe.dll



Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System32\Guard.tmp

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.


Your computer will reboot.

Run again Find.bat, HijackThis, and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 role2682

role2682
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 24 December 2004 - 12:07 PM

I could delete all but 3 of those files C:\WINDOWS\System32\m0nq0a55ed.dll said could not delete file, then after reboot said this file does not seem to exist.
C:\WINDOWS\System32\jtj0071me.dll
C:\WINDOWS\System32\Guard.tmp
both of those files said they did not seem to exist also.
here are the hijackthis and findit log files

Logfile of HijackThis v1.99.0
Scan saved at 11:52:39 AM, on 12/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094158972562
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


FINDIT LOG FILE

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findfit\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/24/2004 11:48 AM 224,858 gp46l3hs1.dll
12/24/2004 11:35 AM 223,215 n2p40c7qef.dll
12/20/2004 11:26 AM <DIR> dllcache
08/06/2003 03:49 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/10/1999 08:34 AM 123,664 msjint35.dll
06/10/1999 08:34 AM 24,848 msjter35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
04/25/1999 04:00 PM 368,912 Vbar332.dll
04/25/1999 04:00 PM 252,176 Msrd2x35.dll
13 File(s) 3,809,785 bytes
2 Dir(s) 17,940,283,392 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/20/2004 11:26 AM <DIR> dllcache
12/14/2004 07:47 PM 488 logonui.exe.manifest
12/14/2004 07:47 PM 488 WindowsLogon.manifest
12/14/2004 07:47 PM 749 nwc.cpl.manifest
12/14/2004 07:47 PM 749 sapi.cpl.manifest
12/14/2004 07:47 PM 749 ncpa.cpl.manifest
12/14/2004 07:47 PM 749 wuaucpl.cpl.manifest
12/14/2004 07:47 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 17,940,283,392 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
06/17/1998 10:00 PM 378,128 expsrv.dll.tmp
2 File(s) 380,705 bytes
0 Dir(s) 17,940,279,296 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{60BF94EC-28C3-40C5-B4F8-0F9D3B346E89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n2p40c7qef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
gp46l3~1.dll Fri Dec 24 2004 11:48:06a ..S.R 224,858 219.59 K
logonu~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
n2p40c~1.dll Fri Dec 24 2004 11:35:48a ..S.R 223,215 217.98 K
ncpacp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
nwccpl~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
sapicp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
window~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
wuaucp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K

9 items found: 9 files, 0 directories.
Total of file sizes: 452,794 bytes 442.18 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Ad-watch"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-watch.exe\""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"Ad-aware"="\"C:\\Program Files\\Lavasoft\\Ad-aware 6\\Ad-aware.exe\" +c"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SM1BG"="C:\\WINDOWS\\SM1BG.EXE"
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""




#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:14 PM

Posted 25 December 2004 - 04:48 AM

Hi

Please uninstall Ad-Aware 6, it is outdated. Keep only Ad-Aware SE. Disable Ad-Watch.

REBOOT your computer. Run find.bat and post a new log.


From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 role2682

role2682
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 December 2004 - 10:29 AM

FINDIT LOG

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findfit\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/20/2004 11:26 AM <DIR> dllcache
08/06/2003 03:49 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/10/1999 08:34 AM 123,664 msjint35.dll
06/10/1999 08:34 AM 24,848 msjter35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
04/25/1999 04:00 PM 368,912 Vbar332.dll
04/25/1999 04:00 PM 252,176 Msrd2x35.dll
11 File(s) 3,361,712 bytes
2 Dir(s) 17,917,190,144 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/20/2004 11:26 AM <DIR> dllcache
12/14/2004 07:47 PM 488 logonui.exe.manifest
12/14/2004 07:47 PM 488 WindowsLogon.manifest
12/14/2004 07:47 PM 749 nwc.cpl.manifest
12/14/2004 07:47 PM 749 sapi.cpl.manifest
12/14/2004 07:47 PM 749 ncpa.cpl.manifest
12/14/2004 07:47 PM 749 wuaucpl.cpl.manifest
12/14/2004 07:47 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 17,917,190,144 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/25/2004 01:21 AM 225,196 guard.tmp
1 File(s) 225,196 bytes
0 Dir(s) 17,917,190,144 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/25/2004 01:21 AM 225,196 guard.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
06/17/1998 10:00 PM 378,128 expsrv.dll.tmp
3 File(s) 605,901 bytes
0 Dir(s) 17,917,186,048 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{60BF94EC-28C3-40C5-B4F8-0F9D3B346E89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvlu0939e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
logonu~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
ncpacp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
nwccpl~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
sapicp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
window~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
wuaucp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""


HIJACKTHIS LOG

Logfile of HijackThis v1.99.0
Scan saved at 10:23:44 AM, on 12/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Documents and Settings\role2682\Desktop\DllCompare.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094158972562
O17 - HKLM\System\CCS\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


DLL COMPARE LOG

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\msexcl35.dll Thu Sep 9 1999 9:06:38p A.S.. 252,688 246.77 K
C:\WINDOWS\SYSTEM32\msjet35.dll Tue Sep 28 1999 8:42:48p A.S.. 1,050,896 1.00 M
C:\WINDOWS\SYSTEM32\msjint35.dll Thu Jun 10 1999 8:34:04a A.S.. 123,664 120.77 K
C:\WINDOWS\SYSTEM32\msjter35.dll Thu Jun 10 1999 8:34:04a A.S.. 24,848 24.27 K
C:\WINDOWS\SYSTEM32\msltus35.dll Thu Sep 9 1999 9:06:38p A.S.. 168,720 164.77 K
C:\WINDOWS\SYSTEM32\mspdox35.dll Mon Jun 7 1999 5:59:34p A.S.. 250,128 244.27 K
C:\WINDOWS\SYSTEM32\msrd2x35.dll Sun Apr 25 1999 4:00:00p A.S.. 252,176 246.27 K
C:\WINDOWS\SYSTEM32\msrepl35.dll Wed Aug 25 1999 1:57:26p A.S.. 415,504 405.77 K
C:\WINDOWS\SYSTEM32\mstext35.dll Thu Sep 30 1999 6:21:24p A.S.. 166,672 162.77 K
C:\WINDOWS\SYSTEM32\msxbse35.dll Sun Apr 25 1999 4:00:00p A.S.. 287,504 280.77 K
C:\WINDOWS\SYSTEM32\vbar332.dll Sun Apr 25 1999 4:00:00p A.S.. 368,912 360.27 K
________________________________________________

1,230 items found: 1,230 files (11 H/S), 0 directories.
Total of file sizes: 259,868,458 bytes 247.83 M

Administrator Account = True

--------------------End log---------------------


Ad-aware tells me that I have VX2 so I'm including log file from:
VX2 FINDER

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
policies
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{60BF94EC-28C3-40C5-B4F8-0F9D3B346E89}

THANKS FOR YOUR HELP
MERRY CHRISTMAS

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:14 PM

Posted 25 December 2004 - 11:43 AM

Disconnect from the internet.


Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


Select the Delete on reboot option.

Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System32\guard.tmp

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.


Run HijackThis!, press Scan, and put a check mark next to all these:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch


Close all other windows and browsers, and press the Fix Checked button.

REBOOT again your computer.

Run again Find.bat, HijackThis, and post the logs please.

Edited by cryo, 25 December 2004 - 11:44 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 role2682

role2682
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 December 2004 - 01:11 PM

i have all ready tried that put I will try again!

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:14 PM

Posted 25 December 2004 - 01:14 PM

You are still infected. Don't hesitate.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 role2682

role2682
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 December 2004 - 01:48 PM

I had a problem with SM1bg.exe(I know this a legit file from napster ext.) every time I would unistall it would reinstall on the next reboot. I succefully removed it last night & had not tried that again yet..


FINDIT LOG

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\findfit\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/20/2004 11:26 AM <DIR> dllcache
08/06/2003 03:49 PM <DIR> Microsoft
09/30/1999 06:21 PM 166,672 mstext35.dll
09/28/1999 08:42 PM 1,050,896 msjet35.dll
09/09/1999 09:06 PM 252,688 msexcl35.dll
09/09/1999 09:06 PM 168,720 msltus35.dll
08/25/1999 01:57 PM 415,504 msrepl35.dll
06/10/1999 08:34 AM 123,664 msjint35.dll
06/10/1999 08:34 AM 24,848 msjter35.dll
06/07/1999 05:59 PM 250,128 mspdox35.dll
04/25/1999 04:00 PM 287,504 Msxbse35.dll
04/25/1999 04:00 PM 368,912 Vbar332.dll
04/25/1999 04:00 PM 252,176 Msrd2x35.dll
11 File(s) 3,361,712 bytes
2 Dir(s) 17,918,836,736 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

12/20/2004 11:26 AM <DIR> dllcache
12/14/2004 07:47 PM 488 logonui.exe.manifest
12/14/2004 07:47 PM 488 WindowsLogon.manifest
12/14/2004 07:47 PM 749 nwc.cpl.manifest
12/14/2004 07:47 PM 749 sapi.cpl.manifest
12/14/2004 07:47 PM 749 ncpa.cpl.manifest
12/14/2004 07:47 PM 749 wuaucpl.cpl.manifest
12/14/2004 07:47 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 17,918,836,736 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is CC4C-6286

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 2,577 CONFIG.TMP
06/17/1998 10:00 PM 378,128 expsrv.dll.tmp
2 File(s) 380,705 bytes
0 Dir(s) 17,918,832,640 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{60BF94EC-28C3-40C5-B4F8-0F9D3B346E89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvlu0939e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
logonu~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
ncpacp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
nwccpl~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
sapicp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K
window~1.man Tue Dec 14 2004 7:47:54p A..HR 488 0.48 K
wuaucp~1.man Tue Dec 14 2004 7:47:44p A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"AWMON"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Professional\\Ad-Watch.exe\""


HIJACKTHIS LOG

Logfile of HijackThis v1.99.0
Scan saved at 1:47:32 PM, on 12/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: strings.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094158972562
O17 - HKLM\System\CCS\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:14 PM

Posted 25 December 2004 - 01:53 PM

A. Recycle bin

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
c:\recycler

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot. Check if the recycle bin is OK. Create an empty TXT file and delete it. Please report back.

B. Restore user agent string

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{60BF94EC-28C3-40C5-B4F8-0F9D3B346E89}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


Double-click on the fix.reg file on your desktop, and when it prompts to merge say Yes, and this will repair some registry entries.

C. Restore Policy
Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe
Run Vx2Finder and click on the Restore Policy button.


REBOOT your machine and post a new hijackthis log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 role2682

role2682
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 December 2004 - 02:12 PM

Logfile of HijackThis v1.99.0
Scan saved at 2:10:58 PM, on 12/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: strings.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094158972562
O17 - HKLM\System\CCS\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:14 PM

Posted 25 December 2004 - 02:25 PM

Run HijackThis!, press Scan, and put a check mark next to all these:

O4 - Global Startup: strings.exe

Close all other windows and browsers, and press the Fix Checked button.

REBOOT into SafeMode, search and delete this file: strings.exe

REBOOT normally and post a new log please. :thumbsup:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 role2682

role2682
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:14 PM

Posted 25 December 2004 - 02:54 PM

Logfile of HijackThis v1.99.0
Scan saved at 2:52:54 PM, on 12/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094158972562
O17 - HKLM\System\CCS\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{17ECA87E-3225-4439-A350-96E42074F64F}: NameServer = 192.168.0.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users