Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

crazy spyware issues....logfile inside...


  • Please log in to reply
6 replies to this topic

#1 thor015

thor015

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 December 2004 - 02:18 AM

run ad-ware and within 5 minutes still have 70 crit objects.

here is the logfile. help would be appreciated

Logfile of HijackThis v1.99.0
Scan saved at 12:20:14 AM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\vtsmeng.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nhkynh.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvovc32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [gdiplus] C:\WINDOWS\System32\gdiplus.exe
O4 - HKCU\..\Run: [Zo06ROa7g] vtsmeng.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:59 PM

Posted 27 December 2004 - 03:37 AM

Hi

Some items are disabled in MSCONFIG, and not all your startup items are visible.
Go to Start -> Run -> Type msconfig and press Enter.

Click the Startup tab and check all Startup items or press the Enable All button and Close. Then press the Exit without restart button. Do not reboot your computer.

Run HijackThis and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 thor015

thor015
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 December 2004 - 12:26 PM

ok i did it, here is the new log.

I should say that there were no "unchecked items" on there. However, yesterday I had unchecked some of them.

Also....there are 2 profiles that can be logged into on this computer. Will that make a difference?

logfile.......
Logfile of HijackThis v1.99.0
Scan saved at 11:24:29 AM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\system32\vtsmeng.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\msdtctm.exe
C:\Documents and Settings\Matthew\Desktop\kenny's work\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ttpiefr] C:\WINDOWS\System32\aqyjnzxc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvovc32.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\kwvykw.exe
O4 - HKCU\..\Run: [Zo06ROa7g] vtsmeng.exe
O4 - HKCU\..\Run: [winpack] C:\WINDOWS\System32\winpack.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msdtctm] C:\WINDOWS\System32\msdtctm.exe
O4 - HKCU\..\Run: [gdiplus] C:\WINDOWS\System32\gdiplus.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: nhkynh.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

#4 thor015

thor015
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 December 2004 - 03:17 PM

latest logs on things:


first I should say that Pocket Killbox nor my search on the comp could find the following files: (specifically it said they "did not exist")

C:\WINDOWS\SYSTEM32\kt02l7~1.dll
C:\WINDOWS\SYSTEM32\s688lg~1.dll
C:\WINDOWS\SYSTEM32\guard.tmp


I have been running some programs (silent runners, killbox, dllCompare, etc...) to get to this point.

Run DllCompare log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\crpesnpn.dll Mon Dec 27 2004 1:29:40p ..S.R 224,358 219.10 K
C:\WINDOWS\SYSTEM32\hr8205~1.dll Mon Dec 27 2004 1:59:00p ..S.R 223,064 217.84 K
C:\WINDOWS\SYSTEM32\lmrmonui.dll Mon Dec 27 2004 2:00:10p ..S.R 223,942 218.69 K
C:\WINDOWS\SYSTEM32\r8p80i~1.dll Mon Dec 27 2004 1:38:00p ..S.R 223,942 218.69 K
________________________________________________
1,398 items found: 1,398 files (4 H/S), 0 directories.
Total of file sizes: 321,564,887 bytes 306.67 M
Administrator Account = True
--------------------End log---------------------


Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 2:05:22 PM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L 1.EXE
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\kwvykw.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Matthew\Desktop\kenny's work\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L 1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for : C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...s/yinst0401.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v1...ro.cab27513.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe



silent runners log:

"Silent Runners.vbs", revision 28, launched at: 14:05
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"RecordNow!" = "" [(file not found)]
"NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SCANINICIO" = ""C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"" ["Panda Software"]
"SAClient" = ""C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck" ["AT&T"]
"Reminder" = ""C:\Windows\Creator\Remind_XP.exe"" ["SoftThinks"]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"]
"mmtask" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" ["TODO: <Company name>"]
"LTMSG" = "LTMSG.exe 7" ["Agere Systems"]
"KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"HPHUPD05" = "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [file not found]
"HPHmon05" = "C:\WINDOWS\System32\hphmon05.exe" ["Hewlett-Packard"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"EPSON Stylus CX6400" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L 1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"" ["SEIKO EPSON CORPORATION"]
"CamMonitor" = "c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s" [file not found]
"AlcxMonitor" = "ALCXMNTR.EXE" [file not found]
"Narrator" = "C:\WINDOWS\system32\kwvykw.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"739aa847-a6cb-4c73-a893-ece2b237a4ab\(Default)" = ""
\StubPath = "C:\WINDOWS\system32\qhlpqh.exe" [null data]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> CLSID InProcServer32 resolves to: "c:\Program Files\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]
"{F21D0DCC-F937-4FD9-8FD9-8320061B287A}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\meastmib.dll" [file not found]
"{23889757-98A3-43D3-A2B4-C86B48F33013}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\aGd.dll" [file not found]
"{3270FBA9-3553-4DCC-BFBD-1A05EEB6A361}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\guard.tmp" [null data]
"{46F95C18-0F53-41A7-AD5F-5BD6B1839D93}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\guard.tmp" [null data]
"{7C704C63-E52B-4D4B-8A63-77653AEB8825}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\guard.tmp" [null data]
"{4A9D6ACB-9262-4215-886F-EB341E2FE675}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\lmrmonui.dll" [null data]
"{5C2C867F-C051-4575-A2EF-366E8B99D6F4}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\cRpesnpn.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "OemStartMenuData\DLLName" = "C:\WINDOWS\system32\r8p80i7ue8.dll" [null data]

Startup items in "Matthew" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"America Online 9.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 9.0\aoltray.exe -check" [file not found]
"Compaq Connections" -> shortcut to: "C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe -startup" [null data]
"Forget Me Not" -> shortcut to: "C:\Program Files\Broderbund\AG CreataCard\agremind.exe" ["Broderbund Properties LLC"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"nhkynh.exe" [file not found]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]

Enabled Scheduled Tasks:
------------------------
"QIC Autoupdate" -> launches: "C:\Program Files\Insight\BBClient\Programs\AutoUpdate.exe" ["AT&T"]
"QIC Messenger Bkup" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /NotCron" ["AT&T"]
"QIC Messenger Periodic" -> launches: "C:\Program Files\Insight\BBClient\Programs\QICMessenger.exe /AutoRun" ["AT&T"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe" ["America Online, Inc."]
Panda anti-virus service, PAVSRV, "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe" ["Panda Software"]
Panda Firewall Service, PAVFIRES, "C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe" ["Panda Software"]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.




any insight?

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:59 PM

Posted 27 December 2004 - 03:34 PM

OK, you killed me :thumbsup:

Please post the hijackthis log from one account only.


Download Find It NT-2K-XP.zip.

Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

Please do not post other logs :flowers:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 thor015

thor015
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 PM

Posted 27 December 2004 - 08:48 PM

thanks for the help. will stay on one profile.

output log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Matthew\Desktop\kenny's work\other site\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is PRESARIO
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\System32

12/27/2004 07:31 PM 223,942 jtrq0795e.dll
12/27/2004 07:28 PM 224,257 hrjo0513e.dll
12/27/2004 07:21 PM 225,885 nemsevt.dll
12/24/2004 03:00 AM <DIR> dllcache
10/11/2003 04:45 AM <DIR> Microsoft
3 File(s) 674,084 bytes
2 Dir(s) 105,898,360,832 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is PRESARIO
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\System32

12/24/2004 03:00 AM <DIR> dllcache
10/11/2003 04:14 AM 488 WindowsLogon.manifest
10/11/2003 04:14 AM 488 logonui.exe.manifest
10/11/2003 04:14 AM 749 nwc.cpl.manifest
10/11/2003 04:14 AM 749 sapi.cpl.manifest
10/11/2003 04:14 AM 749 ncpa.cpl.manifest
10/11/2003 04:14 AM 749 wuaucpl.cpl.manifest
10/11/2003 04:14 AM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 105,898,360,832 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is PRESARIO
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\System32

12/27/2004 07:40 PM 224,257 guard.tmp
1 File(s) 224,257 bytes
0 Dir(s) 105,898,360,832 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is PRESARIO
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\System32

12/27/2004 07:40 PM 224,257 guard.tmp
08/29/2002 01:00 PM 2,577 CONFIG.TMP
2 File(s) 226,834 bytes
0 Dir(s) 105,898,356,736 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{746CBBB3-3497-41D2-839F-19BFFAB911E2}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrjo0513e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
hrjo05~1.dll Mon Dec 27 2004 7:28:18p ..S.R 224,257 219.00 K
jtrq07~1.dll Mon Dec 27 2004 7:31:18p ..S.R 223,942 218.69 K
nemsevt.dll Mon Dec 27 2004 7:21:40p ..S.R 225,885 220.59 K

3 items found: 3 files, 0 directories.
Total of file sizes: 674,084 bytes 658.29 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\aeizae.dll: updates.qoologic.com
C:\WINDOWS\system32\pclgpc.dll: updates.qoologic.com
C:\WINDOWS\system32\qhlpqh.exe: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\kwvykw.exe: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\WINDOWS\system32\vpwqvp.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\nhkynh.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SCANINICIO"="\"C:\\Program Files\\Panda Software\\Panda Antivirus Platinum\\Inicio.exe\""
"SAClient"="\"C:\\Program Files\\Insight\\BBClient\\Programs\\RegCon.exe\" /admincheck"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"LTMSG"="LTMSG.exe 7"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPHUPD05"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"EPSON Stylus CX6400"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2L1.EXE /P19 \"EPSON Stylus CX6400\" /O6 \"USB001\" /M \"Stylus CX6400\""
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"APVXDWIN"="\"C:\\Program Files\\Panda Software\\Panda Antivirus Platinum\\APVXDWIN.EXE\" /s"
"AlcxMonitor"="ALCXMNTR.EXE"
"Narrator"="C:\\WINDOWS\\system32\\kwvykw.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:04:59 PM

Posted 27 December 2004 - 09:08 PM

Hi :thumbsup:

Download KillBox here: KillBox. Unzip it to your desktop. Don't hesitate to download it. I'm not sure if you have the latest version.

Disconnect from the internet.


Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


Select the Delete on reboot option.

Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System32\jtrq0795e.dll

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the NO button.

Repeat steps above for these files:

C:\WINDOWS\System32\hrjo0513e.dll

C:\WINDOWS\System32\nemsevt.dll


C:\WINDOWS\system32\kwvykw.exe

C:\WINDOWS\system32\vpwqvp.dat

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\nhkynh.exe



Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\System32\Guard.tmp

Press the Delete button (the button that looks like a red circle with a white X in it).

A first dialog box will ask if you want to delete the file on reboot, press the YES button.

A second dialog box will ask you if you want to REBOOT now. Press the YES button.


Your computer will reboot.

Run again Find.bat, HijackThis, and post the logs please.

Edited by cryo, 27 December 2004 - 09:09 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users