Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log-zifnab


  • Please log in to reply
30 replies to this topic

#1 zifnab

zifnab

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 24 December 2004 - 01:00 PM

i recently had bargain buddy which opened up a door to a whole ton of other spyware, i've run spybot sd and adaware and yet i keep getting popups. if any one could help me out i'd be very thankful. thanks and merry christmas:

Logfile of HijackThis v1.97.7
Scan saved at 12:52:10 PM, on 12/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\xl.exe
C:\Program Files\AIM95\aim.exe
F:\foobar\foobar2000.exe
C:\Program Files\Free Surfer\FS20.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\dnl\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.buyxtremegear.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [vkojsahixns] C:\WINDOWS\system32\ehbswotk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [dcwwfwguj] C:\WINDOWS\system32\ehbswotk.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrob32.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.buyxtremegear.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5CAD44F7-50E5-4761-84A9-7C84F8EC2158} (Napster inforeader control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by99fd.bay99.hotmail.msn.com/activex/HMAtchmt.ocx

BC AdBot (Login to Remove)

 


#2 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:04:20 PM

Posted 24 December 2004 - 03:52 PM

Merry Christmas to you too! You need to take care of a couple of things and then we'll get to the nitty-gritty! :thumbsup:

First, grab the latest version of HijackThis here: http://www.bleepingcomputer.com/files/hijackthis.php
Give it a home of it's own like you did for the previous version:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Go to Add/Remove programs in the Control Panel and uninstall either of these entries if found:
SESync
SED


Next download LSP Fix

Open LSP Fix and look for these 2 entries:

aklsp.dll
calsp.dll

If either of these entries is on the left hand side window, then put a check next to the "I know what I'm doing".
Highlight each occurance of these specific Dll's and using the ">>" button, move each to the right side Window.

It is important that only these 2 files are moved, leave the other entries alone. Once completed, click the "Finish>>" button.

If the entries are already on the right, then just click the "Finish>>" button to repair the winsock.

Reboot your computer and post a fresh scan log with the latest version of HijackThis. :)Y

#3 zifnab

zifnab
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 26 December 2004 - 08:32 PM

thanks for the help. sesync and sed both were not there, but the .dlls were. here's the new log:

Logfile of HijackThis v1.99.0
Scan saved at 8:30:52 PM, on 12/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\xl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
F:\hjt\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.buyxtremegear.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5CAD44F7-50E5-4761-84A9-7C84F8EC2158} (Napster inforeader control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\system32\xl.exe

#4 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:04:20 PM

Posted 28 December 2004 - 03:32 PM

Go to Start then Run then type : notepad
Click OK and a new text document will open. Copy and paste the following to notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ISEXEng]

Name the file: bb.reg
Change the Save as type to: All Files
Save the file to: Desktop

Rescan with hijackthis, put a check next to these items, close all browser/explorer windows, press 'Fix Checked':

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe (file missing)

After fixing these files, close HijackThis. Double click on the bb.reg file and answer yes to merge it with the registry.

Reboot your computer, rescan with HijackThis and post a fresh scan log. :)Y

Edited by Y kawika, 29 December 2004 - 09:04 AM.


#5 zifnab

zifnab
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 30 December 2004 - 02:00 PM

thanks, here you go:

Logfile of HijackThis v1.99.0
Scan saved at 2:00:11 PM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\xl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
F:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.buyxtremegear.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5CAD44F7-50E5-4761-84A9-7C84F8EC2158} (Napster inforeader control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\system32\xl.exe

#6 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:04:20 PM

Posted 30 December 2004 - 11:42 PM

You're doing real good! The next pest can be tricky, so we're gonna need some tools to help weed it all out.

Download and unzip as necessary each of these files to their own folders, preferably on the Desktop for easier access.

Findit NT-2K-XP.Zip

DllCompare

VX2Finder Tool

Please note that once you have run the tools and posted their respective logs, the computer must Not be rebooted or shut down.

This particular pest randomly changes the names of files used to avoid removal. Nice, huh!?!

Once you are ready and the tools are in place, start the scans as follows:

Findit NT-2K-XP.zip:
Navigate to the Find It folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.
Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

DllCompare:
Run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished,you will see in blue, the Completed scan, Click Compare to Continue at which time you will click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

VX2Finder Tool:
Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here too. If it doesn't open the log in notepad then just copy it from the Window where the info is displayed in VX2Finder.

Include an updated HijackThis scan log as well. :)Y

#7 zifnab

zifnab
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 18 January 2005 - 05:15 PM

Thank you so much, man.

NT:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Richard\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/18/2005 05:03 PM <DIR> dllcache
01/18/2005 05:02 PM 225,674 wxpencen.dll
01/17/2005 05:58 PM 225,674 n02ulaf91d2.dll
01/16/2005 06:22 PM 225,674 dn2801fue.dll
01/15/2005 07:39 PM 225,674 k6pm0g71e6.dll
01/15/2005 03:57 PM 32 {F4F4A775-6611-4849-BCA9-8ECB1CB2747F}.dat
01/15/2005 03:50 PM 225,674 q668lgju16o8.dll
01/15/2005 03:40 PM 225,674 dn4m01h1e.dll
01/15/2005 03:32 PM 224,685 ktj6l71s1.dll
01/15/2005 10:59 AM 224,685 SvmStore.dll
01/14/2005 04:40 PM 225,412 n2p40c7qef.dll
01/13/2005 11:47 AM 225,757 kt20l7fm1.dll
01/10/2005 07:52 PM 225,757 ipetppui.dll
01/09/2005 08:18 PM 226,298 p68q0gl5e6q.dll
01/09/2005 11:31 AM 226,298 mfd32.dll
04/20/2003 09:04 PM <DIR> Microsoft
01/09/2003 09:32 AM 9,728 Thumbs.db
02/22/2001 02:55 PM 13,347 Vfpodbc.txt
12/07/1999 05:00 AM 977,680 vfpodbc.dll
04/24/1998 12:00 AM 203,641 Drvvfp.hlp
04/24/1998 12:00 AM 5,446 Drvvfp.cnt
19 File(s) 4,142,810 bytes
2 Dir(s) 8,585,015,296 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/18/2005 05:03 PM <DIR> dllcache
01/15/2005 03:57 PM 32 {F4F4A775-6611-4849-BCA9-8ECB1CB2747F}.dat
01/12/2005 03:31 PM <DIR> vmss
01/12/2005 03:31 PM <DIR> wsxsvc
04/18/2003 03:25 AM 488 logonui.exe.manifest
04/18/2003 03:25 AM 488 WindowsLogon.manifest
04/18/2003 03:25 AM 749 cdplayer.exe.manifest
04/18/2003 03:25 AM 749 ncpa.cpl.manifest
04/18/2003 03:25 AM 749 sapi.cpl.manifest
04/18/2003 03:25 AM 749 nwc.cpl.manifest
04/18/2003 03:25 AM 749 wuaucpl.cpl.manifest
01/09/2003 09:32 AM 9,728 Thumbs.db
9 File(s) 14,481 bytes
3 Dir(s) 8,585,011,200 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

08/11/2004 12:45 AM 5,550,080 setb6.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
2 File(s) 5,552,657 bytes
0 Dir(s) 8,585,011,200 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{39CB5366-3FAF-47BE-A84F-B070B71EB7AA}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dn2801fue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



----------------------------------------------------
dll:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dn2801~1.dll Sun Jan 16 2005 6:22:58p ..S.R 225,674 220.38 K
C:\WINDOWS\SYSTEM32\dn4m01~1.dll Sat Jan 15 2005 3:40:46p ..S.R 225,674 220.38 K
C:\WINDOWS\SYSTEM32\ipetppui.dll Mon Jan 10 2005 7:52:52p ..S.R 225,757 220.46 K
C:\WINDOWS\SYSTEM32\k6pm0g~1.dll Sat Jan 15 2005 7:39:16p ..S.R 225,674 220.38 K
C:\WINDOWS\SYSTEM32\kt20l7~1.dll Thu Jan 13 2005 11:47:14a ..S.R 225,757 220.46 K
C:\WINDOWS\SYSTEM32\ktj6l7~1.dll Sat Jan 15 2005 3:32:24p ..S.R 224,685 219.42 K
C:\WINDOWS\SYSTEM32\mfd32.dll Sun Jan 9 2005 11:31:26a ..S.R 226,298 220.99 K
C:\WINDOWS\SYSTEM32\n02ula~1.dll Mon Jan 17 2005 5:58:12p ..S.R 225,674 220.38 K
C:\WINDOWS\SYSTEM32\n2p40c~1.dll Fri Jan 14 2005 4:40:34p ..S.R 225,412 220.13 K
C:\WINDOWS\SYSTEM32\p68q0g~1.dll Sun Jan 9 2005 8:18:56p ..S.R 226,298 220.99 K
C:\WINDOWS\SYSTEM32\q668lg~1.dll Sat Jan 15 2005 3:50:52p ..S.R 225,674 220.38 K
C:\WINDOWS\SYSTEM32\svmstore.dll Sat Jan 15 2005 10:59:06a ..S.R 224,685 219.42 K
C:\WINDOWS\SYSTEM32\vfpodbc.dll Tue Dec 7 1999 5:00:00a A.S.. 977,680 954.77 K
________________________________________________

1,351 items found: 1,351 files (13 H/S), 0 directories.
Total of file sizes: 292,607,805 bytes 279.05 M

Administrator Account = True

--------------------End log---------------------
---------------------------------------------------------------------
vx2:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
Controls Folder


Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown

User Agent String---
{39CB5366-3FAF-47BE-A84F-B070B71EB7AA}
---------------------------------------------------------------
hjt:
Logfile of HijackThis v1.99.0
Scan saved at 5:14:00 PM, on 1/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\xl.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.buyxtremegear.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5CAD44F7-50E5-4761-84A9-7C84F8EC2158} (Napster inforeader control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\system32\xl.exe

#8 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:04:20 PM

Posted 18 January 2005 - 09:39 PM

Excellent! I've read your scan logs and am putting the proceedure together for you. In the mean time, download and unzip these two utilities and unzip them into their own folders. We will be using them shortly.

Pocket KillBox Utility

Hoster.zip

Don't let the rig reboot, hang in there! :)Y

#9 zifnab

zifnab
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 18 January 2005 - 09:59 PM

alright, i'm ready when you are. and thanks again for helping me out here.

#10 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:04:20 PM

Posted 18 January 2005 - 11:02 PM

Let's make sure that all Hidden files are visible. Here's how:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Disconnect from the Internet and close all running programs! Copy these instructions to Notepad for copy/paste use, since you will be off the Internet and cannot open this window.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time.

After each one it will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click NO. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Here's the files:
C:\WINDOWS\System32\wxpencen.dll
C:\WINDOWS\System32\n02ulaf91d2.dll
C:\WINDOWS\System32\dn2801fue.dll
C:\WINDOWS\System32\k6pm0g71e6.dll
C:\WINDOWS\System32\q668lgju16o8.dll
C:\WINDOWS\System32\dn4m01h1e.dll
C:\WINDOWS\System32\ktj6l71s1.dll
C:\WINDOWS\System32\SvmStore.dll
C:\WINDOWS\System32\n2p40c7qef.dll
C:\WINDOWS\System32\kt20l7fm1.dll
C:\WINDOWS\System32\ipetppui.dll
C:\WINDOWS\System32\p68q0gl5e6q.dll
C:\WINDOWS\System32\mfd32.dll


Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Go to Start then Run then type : notepad
Click OK and a new text document will open. Copy and paste the following to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{39CB5366-3FAF-47BE-A84F-B070B71EB7AA}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\Controls Folder]


Name the file: fixme.reg
Change the Save as type to: All Files
Save the file to: Desktop

Double click on the fixme.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Ok ready! Time to reboot! After rebooting, open the VX2finder utility.
Click on: User Agent$
Also click: Restore Policy
Go to File in the upper menu bar and select: Exit

Rescan with HijackThis and put checks next to the following items if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Make sure that all other windows are closed and then click on the 'Fix Checked' button.

The following Folder Contents, but not the Folder itself, need to be deleted. Open each of these Folders, then click Edit (at the top), choose Select All, then Delete the highlighted entries.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Then empty the Recycle Bin.

Run Findit NT-2K-XP as you did before as well as another HijackThis log and post the results of each of these scans. Also let me know if your Recycle Bin is working properly, this pest sometimes messes with it.

Once the scans are posted, don't reboot until I've had a look at them, OK?

Take your time and be careful. This is quite a pest! :)Y

#11 zifnab

zifnab
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 19 January 2005 - 09:14 AM

sorry man, i turned off the computer last night when i wasn't thinking. sorry, i'll get the new logs up in a bit.

#12 zifnab

zifnab
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 19 January 2005 - 06:55 PM

NT:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Richard\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/18/2005 05:04 PM 225,674 n0r20a9oed.dll
01/18/2005 05:03 PM <DIR> dllcache
01/17/2005 05:58 PM 225,674 n02ulaf91d2.dll
01/15/2005 07:39 PM 225,674 k6pm0g71e6.dll
01/15/2005 03:57 PM 32 {F4F4A775-6611-4849-BCA9-8ECB1CB2747F}.dat
01/15/2005 03:50 PM 225,674 q668lgju16o8.dll
01/15/2005 03:40 PM 225,674 dn4m01h1e.dll
01/15/2005 03:32 PM 224,685 ktj6l71s1.dll
01/15/2005 10:59 AM 224,685 SvmStore.dll
01/14/2005 04:40 PM 225,412 n2p40c7qef.dll
01/13/2005 11:47 AM 225,757 kt20l7fm1.dll
01/10/2005 07:52 PM 225,757 ipetppui.dll
01/09/2005 08:18 PM 226,298 p68q0gl5e6q.dll
01/09/2005 11:31 AM 226,298 mfd32.dll
04/20/2003 09:04 PM <DIR> Microsoft
01/09/2003 09:32 AM 9,728 Thumbs.db
02/22/2001 02:55 PM 13,347 Vfpodbc.txt
12/07/1999 05:00 AM 977,680 vfpodbc.dll
04/24/1998 12:00 AM 203,641 Drvvfp.hlp
04/24/1998 12:00 AM 5,446 Drvvfp.cnt
18 File(s) 3,917,136 bytes
2 Dir(s) 8,581,537,792 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/18/2005 05:03 PM <DIR> dllcache
01/15/2005 03:57 PM 32 {F4F4A775-6611-4849-BCA9-8ECB1CB2747F}.dat
01/12/2005 03:31 PM <DIR> vmss
01/12/2005 03:31 PM <DIR> wsxsvc
04/18/2003 03:25 AM 488 logonui.exe.manifest
04/18/2003 03:25 AM 488 WindowsLogon.manifest
04/18/2003 03:25 AM 749 cdplayer.exe.manifest
04/18/2003 03:25 AM 749 ncpa.cpl.manifest
04/18/2003 03:25 AM 749 sapi.cpl.manifest
04/18/2003 03:25 AM 749 nwc.cpl.manifest
04/18/2003 03:25 AM 749 wuaucpl.cpl.manifest
01/09/2003 09:32 AM 9,728 Thumbs.db
9 File(s) 14,481 bytes
3 Dir(s) 8,581,533,696 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/19/2005 06:41 PM 225,674 guard.tmp
1 File(s) 225,674 bytes
0 Dir(s) 8,581,533,696 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/19/2005 06:41 PM 225,674 guard.tmp
08/11/2004 12:45 AM 5,550,080 setb6.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 5,778,331 bytes
0 Dir(s) 8,581,550,080 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform]
"{39CB5366-3FAF-47BE-A84F-B070B71EB7AA}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n02ulaf91d2.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
dn4m01~1.dll Sat Jan 15 2005 3:40:46p ..S.R 225,674 220.38 K
ipetppui.dll Mon Jan 10 2005 7:52:52p ..S.R 225,757 220.46 K
k6pm0g~1.dll Sat Jan 15 2005 7:39:16p ..S.R 225,674 220.38 K
kt20l7~1.dll Thu Jan 13 2005 11:47:14a ..S.R 225,757 220.46 K
ktj6l7~1.dll Sat Jan 15 2005 3:32:24p ..S.R 224,685 219.42 K
mfd32.dll Sun Jan 9 2005 11:31:26a ..S.R 226,298 220.99 K
n02ula~1.dll Mon Jan 17 2005 5:58:12p ..S.R 225,674 220.38 K
n0r20a~1.dll Tue Jan 18 2005 5:05:00p ..S.R 225,674 220.38 K
n2p40c~1.dll Fri Jan 14 2005 4:40:34p ..S.R 225,412 220.13 K
p68q0g~1.dll Sun Jan 9 2005 8:18:56p ..S.R 226,298 220.99 K
q668lg~1.dll Sat Jan 15 2005 3:50:52p ..S.R 225,674 220.38 K
svmstore.dll Sat Jan 15 2005 10:59:06a ..S.R 224,685 219.42 K
{f4f4a~1.dat Sat Jan 15 2005 3:57:32p A.SH. 32 0.03 K

13 items found: 13 files, 0 directories.
Total of file sizes: 2,707,294 bytes 2.58 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



--------------------------------------------------------
dll:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dn4m01~1.dll Sat Jan 15 2005 3:40:46p ..S.R 225,674 220.38

K
C:\WINDOWS\SYSTEM32\ipetppui.dll Mon Jan 10 2005 7:52:52p ..S.R 225,757 220.46

K
C:\WINDOWS\SYSTEM32\k6pm0g~1.dll Sat Jan 15 2005 7:39:16p ..S.R 225,674 220.38

K
C:\WINDOWS\SYSTEM32\kt20l7~1.dll Thu Jan 13 2005 11:47:14a ..S.R 225,757 220.46

K
C:\WINDOWS\SYSTEM32\ktj6l7~1.dll Sat Jan 15 2005 3:32:24p ..S.R 224,685 219.42

K
C:\WINDOWS\SYSTEM32\mfd32.dll Sun Jan 9 2005 11:31:26a ..S.R 226,298 220.99

K
C:\WINDOWS\SYSTEM32\n02ula~1.dll Mon Jan 17 2005 5:58:12p ..S.R 225,674 220.38

K
C:\WINDOWS\SYSTEM32\n0r20a~1.dll Tue Jan 18 2005 5:05:00p ..S.R 225,674 220.38

K
C:\WINDOWS\SYSTEM32\n2p40c~1.dll Fri Jan 14 2005 4:40:34p ..S.R 225,412 220.13

K
C:\WINDOWS\SYSTEM32\p68q0g~1.dll Sun Jan 9 2005 8:18:56p ..S.R 226,298 220.99

K
C:\WINDOWS\SYSTEM32\q668lg~1.dll Sat Jan 15 2005 3:50:52p ..S.R 225,674 220.38

K
C:\WINDOWS\SYSTEM32\svmstore.dll Sat Jan 15 2005 10:59:06a ..S.R 224,685 219.42

K
C:\WINDOWS\SYSTEM32\vfpodbc.dll Tue Dec 7 1999 5:00:00a A.S.. 977,680 954.77

K
________________________________________________

1,350 items found: 1,350 files (13 H/S), 0 directories.
Total of file sizes: 292,382,131 bytes 278.84 M

Administrator Account = True

--------------------End log---------------------
--------------------------------------------------------------------
vx2:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
ShellScrap


Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown

User Agent String---
{39CB5366-3FAF-47BE-A84F-B070B71EB7AA}
---------------------------------------------------------------------
hjt:
Logfile of HijackThis v1.99.0
Scan saved at 6:54:39 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\xl.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
F:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.buyxtremegear.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5CAD44F7-50E5-4761-84A9-7C84F8EC2158} (Napster inforeader control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\system32\xl.exe

thanks again, and sorry to do this to you

#13 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:04:20 PM

Posted 19 January 2005 - 08:12 PM

Hey, it happens! The pest knows that you're on to it and dug in deeper though. Just take your time and do these proceedures carefully and we'll get your rig running right.

Make sure that all Hidden files are visible. Here's how:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Disconnect from the Internet and close all running programs! Copy these instructions to Notepad for copy/paste use, since you will be off the Internet and cannot open this window.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click NO. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Here's the files:

C:\WINDOWS\System32\n0r20a9oed.dll
C:\WINDOWS\System32\n02ulaf91d2.dll
C:\WINDOWS\System32\k6pm0g71e6.dll
C:\WINDOWS\System32\q668lgju16o8.dll
C:\WINDOWS\System32\dn4m01h1e.dll
C:\WINDOWS\System32\ktj6l71s1.dll
C:\WINDOWS\System32\SvmStore.dll
C:\WINDOWS\System32\n2p40c7qef.dll
C:\WINDOWS\System32\kt20l7fm1.dll
C:\WINDOWS\System32\ipetppui.dll
C:\WINDOWS\System32\p68q0gl5e6q.dll
C:\WINDOWS\System32\mfd32.dll
C:\WINDOWS\System32\guard.tmp


Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Go to Start then Run then type : notepad
Click OK and a new text document will open. Copy and paste the following to notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{39CB5366-3FAF-47BE-A84F-B070B71EB7AA}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]


Name the file: fixme.reg
Change the Save as type to: All Files
Save the file to: Desktop

Double click on the fixme.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Time to reboot! After rebooting, open the VX2finder utility.
Click on: User Agent$
Also click: Restore Policy
Go to File in the upper menu bar and select: Exit

Rescan with HijackThis and put checks next to the following items if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Make sure that all other windows are closed and then click on the 'Fix Checked' button, then close HijackThis.

Go to Start > Run and enter cmd This will open a command shell. Type or Copy and Paste in the following command and press Enter.

rd /s c:\recycler

The following Folder Contents, but not the Folder itself, need to be deleted. Open each of these Folders, then click Edit (at the top), choose Select All, then Delete the highlighted entries.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Then empty the Recycle Bin.

Run Findit NT-2K-XP as you did before as well as another HijackThis log and post the results of each of these scans. Once the scans are posted, don't reboot. :)Y

#14 zifnab

zifnab
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:va
  • Local time:05:20 PM

Posted 20 January 2005 - 05:33 PM

good news bad news time. good news: i did everything you said and it's all looking good, bad news: there are some files in my sister's account that will not be deleted or moved, they claim they cannot be veiwed or read from disk.

here are the logs
VX2:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Richard\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/20/2005 05:21 PM <DIR> dllcache
01/15/2005 03:57 PM 32 {F4F4A775-6611-4849-BCA9-8ECB1CB2747F}.dat
04/20/2003 09:04 PM <DIR> Microsoft
01/09/2003 09:32 AM 9,728 Thumbs.db
02/22/2001 02:55 PM 13,347 Vfpodbc.txt
12/07/1999 05:00 AM 977,680 vfpodbc.dll
04/24/1998 12:00 AM 203,641 Drvvfp.hlp
04/24/1998 12:00 AM 5,446 Drvvfp.cnt
6 File(s) 1,209,874 bytes
2 Dir(s) 12,639,145,984 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/20/2005 05:21 PM <DIR> dllcache
01/15/2005 03:57 PM 32 {F4F4A775-6611-4849-BCA9-8ECB1CB2747F}.dat
01/12/2005 03:31 PM <DIR> vmss
01/12/2005 03:31 PM <DIR> wsxsvc
04/18/2003 03:25 AM 488 logonui.exe.manifest
04/18/2003 03:25 AM 488 WindowsLogon.manifest
04/18/2003 03:25 AM 749 cdplayer.exe.manifest
04/18/2003 03:25 AM 749 ncpa.cpl.manifest
04/18/2003 03:25 AM 749 sapi.cpl.manifest
04/18/2003 03:25 AM 749 nwc.cpl.manifest
04/18/2003 03:25 AM 749 wuaucpl.cpl.manifest
01/09/2003 09:32 AM 9,728 Thumbs.db
9 File(s) 14,481 bytes
3 Dir(s) 12,639,141,888 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/20/2005 04:44 PM 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 12,639,141,888 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 3851-3C3F

Directory of C:\WINDOWS\System32

01/20/2005 04:44 PM 56 guard.tmp
08/11/2004 12:45 AM 5,550,080 setb6.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 5,552,713 bytes
0 Dir(s) 12,639,141,888 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n0r20a9oed.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
{f4f4a~1.dat Sat Jan 15 2005 3:57:32p A.SH. 32 0.03 K

1 item found: 1 file, 0 directories.
Total of file sizes: 32 bytes 0.03 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



----------------------------------------------------------------
hjt:
Logfile of HijackThis v1.99.0
Scan saved at 5:33:49 PM, on 1/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\xl.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
F:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.buyxtremegear.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {5CAD44F7-50E5-4761-84A9-7C84F8EC2158} (Napster inforeader control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\system32\xl.exe

#15 Y kawika

Y kawika

    Anti-Spyware Brigade


  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island, NY USA
  • Local time:04:20 PM

Posted 20 January 2005 - 10:20 PM

Disconnect from the Internet and close all running programs! Copy these instructions to Notepad for copy/paste use, since you will be off the Internet and cannot open this window.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.
Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time.
After each one it will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click NO. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.
If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Here's the files:

C:\WINDOWS\system32\n0r20a9oed.dll
C:\WINDOWS\system32\{F4F4A775-6611-4849-BCA9-8ECB1CB2747F}.dat
C:\WINDOWS\system32\vmss\vmss.exe
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
C:\WINDOWS\system32\guard.tmp


Go to Start then Run then type : notepad
Click OK and a new text document will open. Copy and paste the following to notepad:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]


Name the file: fixme2.reg
Change the Save as type to: All Files
Save the file to: Desktop

Double click on the fixme2.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Once these steps are completed, reboot your computer into Safe Mode (As the computer is rebooting, tap on the F8 key repeatedly. This will bring up a Boot Menu with several options. Use the arrow keys on your keyboard to highlight Safe Mode and then hit the enter key.)

Once in Safe Mode, right click on your Start Button and choose 'Explore' then find and delete the following highlighted folders:

C:\WINDOWS\system32\vmss
C:\WINDOWS\system32\wsxsvc

It should be gone, but look for and if found, delete this file:

C:\WINDOWS\system32\guard.tmp

Clean out all temporary directories while in Safe Mode and then reboot normally.

After rebooting, open the VX2finder utility.
Click on: User Agent$
Also click: Restore Policy
Go to File in the upper menu bar and select: Exit

Run Findit NT-2K-XP as you did before as well as another HijackThis log and post the results of each of these scans. Once the scans are posted, don't reboot. You're doing well! :)Y




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users