Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ieautosearch proble


  • Please log in to reply
24 replies to this topic

#1 gersheff

gersheff

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 26 December 2004 - 06:12 PM

Hi everyone!! this is my fist time posting here so please be kind :thumbsup:

I think i am infected with some kind of spyware. I keep getting weird popups and when i did Hijackthis the log contained a couple of weird entries. below is a copy of the log. these entries keep coming back after i delete them. also I did an adaware scan and a spy sweeper search. Although when i try to quarantine the infected files in adware my explorer keeps crashing

here is the hijackthis log.

Logfile of HijackThis v1.98.2
Scan saved at 6:12:31 PM, on 12/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://akimages.imagestation.com/common/cl...rintActiveX.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802

thank for any help

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:40 PM

Posted 26 December 2004 - 06:27 PM

Hi :thumbsup:


Download Find It 98-ME.zip.

Unzip the contents of Find It 98-ME.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on Win9X-Find.bat.
A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Edited by cryo, 26 December 2004 - 07:24 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 26 December 2004 - 07:58 PM

Here it is:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

WHNTRUST DLL 217,088 12-15-04 3:52p WHNTRUST.DLL
ESITWM10 DLL 217,088 12-15-04 3:52p ESITWM10.DLL
VNODCTL DLL 217,088 12-15-04 3:52p VNODCTL.DLL
IKFG95 DLL 217,088 12-15-04 3:52p ikfg95.dll
POCSETUP DLL 217,088 12-15-04 3:52p pocSetup.dll
MYCPXL32 DLL 217,088 12-15-04 3:52p mycpxl32.dll
MUREPL40 DLL 217,088 12-15-04 3:52p murepl40.dll
7 file(s) 1,519,616 bytes
0 dir(s) 3,941.59 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 08-19-01 3:48p folder.htt
DESKTOP INI 266 08-19-01 3:48p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 3,941.59 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

3,941.59 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

~GLH000C TMP 995,383 03-13-01 2:53p ~GLH000c.TMP
TBM10F4 TMP 21,264 09-17-99 10:54a TBM10F4.TMP
2 file(s) 1,016,647 bytes
0 dir(s) 3,941.59 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4D8B6821-4EB1-11D9-A4C5-006097AD96AC}"=""


------------------ Locate.com Results ------------------
------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


C:\WINDOWS\SYSTEM\
whntrust.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
esitwm10.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
vnodctl.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
ikfg95.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
pocsetup.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
mycpxl32.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
murepl40.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K

7 items found: 7 files, 0 directories.
Total of file sizes: 1,519,616 bytes 1.45 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\WHNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\ERUTIX14.DLL: UMonitor
C:\WINDOWS\SYSTEM\ESITWM10.DLL: UMonitor
C:\WINDOWS\SYSTEM\VNODCTL.DLL: UMonitor
C:\WINDOWS\SYSTEM\ikfg95.dll: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\pocSetup.dll: UMonitor
C:\WINDOWS\SYSTEM\mycpxl32.dll: UMonitor
C:\WINDOWS\SYSTEM\murepl40.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.0\\THGUARD.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:40 PM

Posted 26 December 2004 - 08:25 PM

Download KillBox here: KillBox. Unzip it to your desktop.

Disconnect from the internet.


Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


Select the Delete on reboot option.

Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System\WHNTRUST.DLL

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Repeat steps above for these files:

C:\WINDOWS\System\ESITWM10.DLL

C:\WINDOWS\System\VNODCTL.DLL

C:\WINDOWS\System\IKFG95.DLL

C:\WINDOWS\System\POCSETUP.DLL

C:\WINDOWS\System\MYCPXL32.DLL



Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System\MUREPL40.DLL

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.


Your computer will reboot.

Run again Win9X-Find.bat, HijackThis, and post the logs please.

Edited by cryo, 26 December 2004 - 08:26 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 26 December 2004 - 09:10 PM

HijackThis Log:

Logfile of HijackThis v1.98.2
Scan saved at 9:07:07 PM, on 12/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://akimages.imagestation.com/common/cl...rintActiveX.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802

Win9X-Find.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

WHNTRUST DLL 217,088 12-15-04 3:52p WHNTRUST.DLL
1 file(s) 217,088 bytes
0 dir(s) 3,986.65 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 08-19-01 3:48p folder.htt
DESKTOP INI 266 08-19-01 3:48p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 3,986.65 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

3,986.64 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

~GLH000C TMP 995,383 03-13-01 2:53p ~GLH000c.TMP
TBM10F4 TMP 21,264 09-17-99 10:54a TBM10F4.TMP
2 file(s) 1,016,647 bytes
0 dir(s) 3,986.64 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4D8B6821-4EB1-11D9-A4C5-006097AD96AC}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
whntrust.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 217,088 bytes 212.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\WHNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\ERUTIX14.DLL: UMonitor
C:\WINDOWS\SYSTEM\ESITWM10.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEHTML.DLL: UMonitor
C:\WINDOWS\SYSTEM\ikfg95.dll: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\pocSetup.dll: UMonitor
C:\WINDOWS\SYSTEM\mycpxl32.dll: UMonitor
C:\WINDOWS\SYSTEM\murepl40.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.0\\THGUARD.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:40 PM

Posted 26 December 2004 - 09:25 PM

Disconnect from the internet.


Start Killbox.exe

Select the Delete on reboot option.

Copy and paste each of the following file(s) to the field labeled "Full path of file to delete"
C:\WINDOWS\SYSTEM\WHNTRUST.DLL

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Run again Win9X-Find.bat, HijackThis, and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 26 December 2004 - 09:45 PM

here they are again

Logfile of HijackThis v1.98.2
Scan saved at 9:36:27 PM, on 12/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://akimages.imagestation.com/common/cl...rintActiveX.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

WHNTRUST DLL 217,088 12-15-04 3:52p WHNTRUST.DLL
1 file(s) 217,088 bytes
0 dir(s) 4,006.73 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 08-19-01 3:48p folder.htt
DESKTOP INI 266 08-19-01 3:48p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 4,006.72 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

4,006.72 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

~GLH000C TMP 995,383 03-13-01 2:53p ~GLH000c.TMP
TBM10F4 TMP 21,264 09-17-99 10:54a TBM10F4.TMP
2 file(s) 1,016,647 bytes
0 dir(s) 4,006.71 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4D8B6821-4EB1-11D9-A4C5-006097AD96AC}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
whntrust.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 217,088 bytes 212.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\WHNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\ERUTIX14.DLL: UMonitor
C:\WINDOWS\SYSTEM\ESITWM10.DLL: UMonitor
C:\WINDOWS\SYSTEM\TDPELIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\ikfg95.dll: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\pocSetup.dll: UMonitor
C:\WINDOWS\SYSTEM\mycpxl32.dll: UMonitor
C:\WINDOWS\SYSTEM\murepl40.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.0\\THGUARD.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



#8 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 26 December 2004 - 10:17 PM

is the problem fixed?

#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:40 PM

Posted 27 December 2004 - 03:21 AM

is the problem fixed?

No.

Do you have a Windows 98 StartUp Disk ? Do you know how to boot from the floppy disk ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 27 December 2004 - 11:21 AM

i have a copy someone gave me but i am not sure if it is the right 1. please remind on how to boot from a disk.

what seems to be the problem?

#11 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 27 December 2004 - 12:31 PM

accidentally rebooted here are the new logs. sorry

Logfile of HijackThis v1.98.2
Scan saved at 12:03:50 PM, on 12/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\STRINGS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://akimages.imagestation.com/common/cl...rintActiveX.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

WHNTRUST DLL 217,088 12-15-04 3:52p WHNTRUST.DLL
WSW32 DLL 217,088 12-15-04 3:52p WSW32.DLL
2 file(s) 434,176 bytes
0 dir(s) 3,982.46 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 08-19-01 3:48p folder.htt
DESKTOP INI 266 08-19-01 3:48p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 3,982.46 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

3,982.46 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

~GLH000C TMP 995,383 03-13-01 2:53p ~GLH000c.TMP
TBM10F4 TMP 21,264 09-17-99 10:54a TBM10F4.TMP
2 file(s) 1,016,647 bytes
0 dir(s) 3,982.45 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4D8B6821-4EB1-11D9-A4C5-006097AD96AC}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
whntrust.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
wsw32.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 434,176 bytes 424.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\WHNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\ERUTIX14.DLL: UMonitor
C:\WINDOWS\SYSTEM\ESITWM10.DLL: UMonitor
C:\WINDOWS\SYSTEM\WSW32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ikfg95.dll: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\pocSetup.dll: UMonitor
C:\WINDOWS\SYSTEM\mycpxl32.dll: UMonitor
C:\WINDOWS\SYSTEM\murepl40.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.0\\THGUARD.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:40 PM

Posted 27 December 2004 - 03:41 PM

what seems to be the problem?

Your problem is a nasty Look2Me infection. Not easy to remove ...


Disconnect from the internet.


Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


Select the Delete on reboot option.

Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System\WHNTRUST.DLL

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Repeat steps above for these files:

C:\WINDOWS\System\WSW32.DLL

C:\WINDOWS\System\ERUTIX14.DLL

C:\WINDOWS\System\ESITWM10.DLL

C:\WINDOWS\System\ikfg95.dll

C:\WINDOWS\System\UpdInstall.exe.tcf

C:\WINDOWS\System\pocSetup.dll

C:\WINDOWS\System\mycpxl32.dll

C:\WINDOWS\System\murepl40.dll



Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System\Guard.tmp

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.


Your computer will reboot.

Run again Win9X-Find.bat, HijackThis, and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 27 December 2004 - 07:07 PM

2 questions?

1) that second dialogue box never pops up, so i just reboot myself
2) guard.tmp doesnt exist

ok here are the logs:


Logfile of HijackThis v1.98.2
Scan saved at 7:04:42 PM, on 12/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://akimages.imagestation.com/common/cl...rintActiveX.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

WHNTRUST DLL 217,088 12-15-04 3:52p WHNTRUST.DLL
1 file(s) 217,088 bytes
0 dir(s) 4,012.59 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 08-19-01 3:48p folder.htt
DESKTOP INI 266 08-19-01 3:48p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 4,012.58 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

4,012.58 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

~GLH000C TMP 995,383 03-13-01 2:53p ~GLH000c.TMP
TBM10F4 TMP 21,264 09-17-99 10:54a TBM10F4.TMP
2 file(s) 1,016,647 bytes
0 dir(s) 4,012.57 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4D8B6821-4EB1-11D9-A4C5-006097AD96AC}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
whntrust.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 217,088 bytes 212.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\WHNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\ERUTIX14.DLL: UMonitor
C:\WINDOWS\SYSTEM\ESITWM10.DLL: UMonitor
C:\WINDOWS\SYSTEM\SRTUP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\ikfg95.dll: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\pocSetup.dll: UMonitor
C:\WINDOWS\SYSTEM\mycpxl32.dll: UMonitor
C:\WINDOWS\SYSTEM\murepl40.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.0\\THGUARD.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



#14 gersheff

gersheff
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:40 PM

Posted 28 December 2004 - 11:15 AM

had to reboot new log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from:

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

WHNTRUST DLL 217,088 12-15-04 3:52p WHNTRUST.DLL
EXSMON03 DLL 217,088 12-15-04 3:52p EXSMON03.DLL
2 file(s) 434,176 bytes
0 dir(s) 3,998.24 MB free

------- Hidden Files in system Directory -------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 08-19-01 3:48p folder.htt
DESKTOP INI 266 08-19-01 3:48p desktop.ini
2 file(s) 13,388 bytes
0 dir(s) 3,998.23 MB free

---------- Files Named "Guard" -------------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

3,998.23 MB free

--------- Temp Files in System Directory --------


Volume in drive C has no label
Volume Serial Number is 434E-16E3
Directory of C:\WINDOWS\SYSTEM

~GLH000C TMP 995,383 03-13-01 2:53p ~GLH000c.TMP
TBM10F4 TMP 21,264 09-17-99 10:54a TBM10F4.TMP
2 file(s) 1,016,647 bytes
0 dir(s) 3,998.23 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4D8B6821-4EB1-11D9-A4C5-006097AD96AC}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
whntrust.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K
exsmon03.dll Wed Dec 15 2004 3:52:24p ..S.R 217,088 212.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 434,176 bytes 424.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\WHNTRUST.DLL: UMonitor
C:\WINDOWS\SYSTEM\ERUTIX14.DLL: UMonitor
C:\WINDOWS\SYSTEM\ESITWM10.DLL: UMonitor
C:\WINDOWS\SYSTEM\EXSMON03.DLL: UMonitor
C:\WINDOWS\SYSTEM\ikfg95.dll: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf: UMonitor
C:\WINDOWS\SYSTEM\pocSetup.dll: UMonitor
C:\WINDOWS\SYSTEM\mycpxl32.dll: UMonitor
C:\WINDOWS\SYSTEM\murepl40.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"EnsoniqMixer"="starter.exe"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.0\\THGUARD.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Logfile of HijackThis v1.98.2
Scan saved at 11:15:32 AM, on 12/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - Startup: STRINGS.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003012...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {69DEAF94-AF66-11D3-BEC0-00105AA9B6AE} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O16 - DPF: {6B1B6D11-E497-11D3-BE0C-005004AD2E83} (ImageStation Home Printing Control) - http://akimages.imagestation.com/common/cl...rintActiveX.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes...ion=4,3,2,20802

#15 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:40 PM

Posted 28 December 2004 - 03:21 PM

Let's try this. Please follow carefully the instructions. I changed them.

Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location.
Double-click on KillBox.exe.

1. Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System\WHNTRUST.DLL

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "No" at the Pending Operations prompt.

REPEAT the steps for these files:
(Don't forget to check each time the "Use Dummy" box)

C:\WINDOWS\SYSTEM\ERUTIX14.DLL

C:\WINDOWS\SYSTEM\ESITWM10.DLL

C:\WINDOWS\SYSTEM\ikfg95.dll

C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf

C:\WINDOWS\SYSTEM\UpdInstall.exe.tcf

C:\WINDOWS\SYSTEM\pocSetup.dll

C:\WINDOWS\SYSTEM\mycpxl32.dll

C:\WINDOWS\SYSTEM\murepl40.dll



2. Click "Replace on Reboot" and check the "Use Dummy" box.
Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System\EXSMON03.DLL

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Replace on Reboot prompt.
Click "YES" at the Pending Operations prompt.

Double-click on Win9X-Find.bat and post the new output.txt.

Edited by cryo, 28 December 2004 - 03:25 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users