Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT-mlm64


  • Please log in to reply
9 replies to this topic

#1 mlm64

mlm64

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 06 January 2005 - 10:49 AM

My home page on my laptop has been changed to
res://c:\winnt\system32\shdoclc.dll/navcancl.htm
and I can't change it or goto any other website except what comes up automatically. I'm using another pc to post this.

I've ran Ad-ware and spybot but with no success. Here is my Hijack this log file:

Logfile of HijackThis v1.99.0
Scan saved at 10:20:23 AM, on 1/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\TpChrSrv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\DOCUME~1\dricks\LOCALS~1\Temp\7zO25.tmp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.aiudunwoody.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DOMP Class - {4C1B116F-2860-46db-8E6C-B4BFC4DFD683} - C:\WINNT\ietlbass.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\sprt\tgctlar.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - file://C:\Program Files\ThinkPad\Access Support\Agent\common\install\ibmegath.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service - Unknown - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: ThinkPad PM - Unknown - C:\WINNT\System32\TpChrSrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:20 PM

Posted 06 January 2005 - 11:29 PM

I need you to search on your computer for any dlls that start with ms.

Click on start, then search and search all drives for the following search pattern:

ms*.dll

In a reply to this post, tell me what files are found.

#3 mlm64

mlm64
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 07 January 2005 - 12:05 AM

There are 212 files that start with ms and have a .dll ext. is there anyway to
copy to this post?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:20 PM

Posted 07 January 2005 - 12:30 AM

Download the attached file to your desktop and run it. It iwll opena notepad. paste the contents of that notepad into a reply to this topic:

Attached Files



#5 mlm64

mlm64
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 07 January 2005 - 12:53 AM

I tried running the msdll.bat app but the notepad was blank... I can't get to your site with the laptop. I have to first download the app to my home computer then
transfer it to the laptop. By the way the msdll app works fine on my home computer.. . Whats going on?

Edited by mlm64, 07 January 2005 - 01:15 AM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:20 PM

Posted 07 January 2005 - 02:13 PM

Ok I made a better batch file that will make it easier for us to find the infection.

Download the following file:

Download FindHalox.zip

Save the file to your desktop and extract it there. Then double-click on the findhalox folder and then double-click on the findhalox.bat file. Select option 1 and wait until a notepad is opened.

Paste the contents of that notepad as a reply to this topic

#7 mlm64

mlm64
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 07 January 2005 - 11:33 PM

Okay that worked. Here it is

-----------------------------------------------------------------------------------
# #
# This log will contain a listing of all DLLs that are found in C:\WINNT\SYSTEM32 #
# The majority of these files are legitimate files and should not be deleted. #
# Please provide the output of this listing as a reply to the topic where you are #
# receiving help. #
# #
-----------------------------------------------------------------------------------


---- DLLs found in C:\WINNT\SYSTEM32 that match the pattern ms*.dll ----


Volume in drive C is IBM_PRELOAD
Volume Serial Number is 2C89-E903

Directory of C:\WINNT\system32

07/14/2004 11:24p 155,648 mscoree.dll
07/14/2004 10:34p 16,896 mscorier.dll
07/07/2004 05:37p 2,803,712 MSHTML.DLL
06/10/2004 08:58a 216,848 mstask.dll
03/23/2004 09:17p 53,520 msasn1.dll
03/23/2004 09:17p 335,120 MSGINA.DLL
03/11/2004 04:29p 153,872 msdtcui.dll
03/11/2004 04:29p 1,139,984 msdtctm.dll
03/11/2004 04:29p 96,016 msdtclog.dll
03/11/2004 04:29p 717,584 msdtcprx.dll
03/10/2004 09:37p 123,152 MSV1_0.DLL
03/01/2004 02:58p 241,936 msjtes40.dll
03/01/2004 02:58p 1,507,600 msjet40.dll
03/01/2004 02:58p 319,760 msexcl40.dll
02/17/2004 07:26p 352,528 msjetoledb40.dll
10/02/2003 02:17p 34,064 MSGSVC.DLL
09/26/2003 08:13p 614,672 mswstr10.dll
09/26/2003 08:13p 831,760 mswdat10.dll
09/26/2003 08:12p 258,320 mstext40.dll
09/26/2003 08:12p 553,232 msrepl40.dll
09/26/2003 08:12p 315,664 msrd3x40.dll
09/26/2003 08:12p 422,160 msrd2x40.dll
09/26/2003 08:12p 348,432 mspbde40.dll
09/26/2003 08:12p 213,264 msltus40.dll
09/26/2003 08:12p 151,824 msjint40.dll
09/26/2003 08:12p 53,520 msjter40.dll
09/26/2003 08:12p 512,272 msexch40.dll
09/26/2003 08:12p 348,432 msxbde40.dll
06/19/2003 02:05p 24,848 msdart32.dll
06/19/2003 02:05p 108,816 msafd.dll
06/19/2003 02:05p 4,126 msdxmlc.dll
06/19/2003 02:05p 64,272 mswsock.dll
06/19/2003 02:05p 514,320 msxml.dll
06/19/2003 02:05p 47,104 MSPRIVS.DLL
06/19/2003 02:05p 2,017,792 msi.dll
06/19/2003 02:05p 39,936 msisip.dll
06/19/2003 02:05p 35,088 MSSIGN32.DLL
06/19/2003 02:05p 236,304 msclus.dll
06/19/2003 02:05p 11,024 msrle32.dll
06/19/2003 02:05p 1,385,744 MSVBVM60.DLL
06/19/2003 02:05p 76,560 msw3prt.dll
06/19/2003 02:05p 305,664 msihnd.dll
06/19/2003 02:05p 14,608 msswch.dll
06/19/2003 02:05p 847,872 msimsg.dll
06/19/2003 02:05p 116,496 msvfw32.dll
06/19/2003 02:05p 286,773 msvcrt.dll
04/18/2003 04:46p 1,233,920 msxml4.dll
04/18/2003 04:29p 82,432 msxml4r.dll
03/18/2003 09:14p 499,712 msvcp71.dll
03/17/2003 02:05p 946,960 msjava.dll
03/03/2003 03:57p 44,032 MSIDENT.DLL
03/03/2003 03:57p 228,864 MSOEACCT.DLL
03/03/2003 03:57p 91,136 MSOERT2.DLL
02/21/2003 05:42a 348,160 msvcr71.dll
02/20/2003 06:09p 106,496 mscories.dll
02/17/2003 09:14a 480,256 msvidctl.dll
02/17/2003 09:14a 16,896 msyuv.dll
12/11/2002 11:14p 13,312 msdmo.dll
12/11/2002 11:14p 324,096 mswebdvd.dll
12/11/2002 05:09p 253,952 msnetobj.dll
12/11/2002 05:09p 358,912 msscp.dll
11/26/2002 06:03p 52,224 mspmsnsv.dll
11/26/2002 06:03p 245,760 mswmdm.dll
11/26/2002 06:03p 201,728 mspmsp.dll
08/29/2002 07:14a 434,688 mshtmled.dll
08/29/2002 07:14a 248,080 msieftp.dll
08/29/2002 07:14a 496,128 mstime.dll
08/29/2002 07:14a 95,744 msencode.dll
08/29/2002 07:14a 56,320 mshtmler.dll
08/29/2002 07:14a 1,122,304 msxml3.dll
08/29/2002 07:14a 24,576 msxml3a.dll
08/29/2002 07:14a 44,032 msxml3r.dll
08/29/2002 07:14a 59,904 msratelc.dll
08/29/2002 07:14a 132,096 msrating.dll
08/29/2002 07:14a 14,848 msidntld.dll
07/22/2002 03:05p 154,384 msawt.dll
07/22/2002 03:05p 26,624 msxmlr.dll
07/22/2002 03:05p 21,264 msjdbc10.dll
01/26/2002 01:59a 27,136 mspatcha.dll
01/05/2002 06:40a 487,424 msvcp70.dll
01/05/2002 06:38a 54,784 msvci70.dll
01/05/2002 06:37a 344,064 msvcr70.dll
01/05/2002 05:16a 94,208 msvci70d.dll
01/05/2002 05:16a 737,280 msvcp70d.dll
01/05/2002 05:16a 536,576 msvcr70d.dll
09/20/2001 05:52a 41,017 Msgsys.dll
08/23/2001 06:31p 169,472 MSIMTF.DLL
08/23/2001 06:30p 277,504 MSCTF.DLL
07/13/2001 09:31a 131,072 msorcl32.dll
07/13/2001 09:30a 126,976 msdart.dll
07/13/2001 08:39a 36,864 mscpxl32.dll
07/13/2001 08:38a 20,480 msorc32r.dll
05/08/2001 12:00p 69,632 msr2c.dll
05/08/2001 12:00p 16,384 msobjs.dll
05/08/2001 12:00p 74,000 msrclr40.dll
05/08/2001 12:00p 39,696 msports.dll
05/08/2001 12:00p 77,878 msvcirt.dll
05/08/2001 12:00p 565,760 msvcp50.dll
05/08/2001 12:00p 61,168 msacm.dll
05/08/2001 12:00p 1,355,776 msvbvm50.dll
05/08/2001 12:00p 5,904 mssip32.dll
05/08/2001 12:00p 148,752 msls31.dll
05/08/2001 12:00p 116,272 msnsspc.dll
05/08/2001 12:00p 28,944 msrecr40.dll
05/08/2001 12:00p 6,928 msidpe.dll
05/08/2001 12:00p 7,168 msr2cenu.dll
05/08/2001 12:00p 66,832 msacm32.dll
05/08/2001 12:00p 253,952 msvcrt20.dll
05/08/2001 12:00p 65,024 msvcrt40.dll
05/08/2001 12:00p 80,128 msapsspc.dll
05/08/2001 12:00p 27,920 msvidc32.dll
05/08/2001 12:00p 5,392 msimg32.dll
05/08/2001 12:00p 126,912 msvideo.dll
05/08/2001 12:00p 69,904 mscms.dll
05/08/2001 12:00p 64,272 msidlpm.dll
05/08/2001 12:00p 6,416 msidle.dll
05/08/2001 12:00p 50,448 msaudite.dll
05/08/2001 12:00p 18,192 msfaxmon.dll
05/08/2001 12:00p 7,952 mscat32.dll
05/08/2001 12:00p 53,520 msconf.dll
04/05/2001 12:43p 118,784 msstdfmt.dll
04/05/2001 12:43p 94,208 msstkprp.dll
02/20/2001 01:09p 56,832 MSCTFP.DLL
02/20/2001 01:09p 162,304 MSUTB.DLL
08/29/2000 07:19p 401,462 MSVCP60.dll
05/11/2000 01:06p 397,312 MSRDO20.DLL
02/11/2000 10:11a 368,710 msisam11.dll
02/11/2000 10:11a 241,725 msuni11.dll
128 File(s) 35,886,299 bytes
0 Dir(s) 20,997,583,360 bytes free

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:20 PM

Posted 08 January 2005 - 03:07 AM

Looks like you selected option 2 instead of 1. This time rerun it and select option 1

#9 mlm64

mlm64
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 08 January 2005 - 04:39 AM

Opion 1

------------------------------------------------------------------------------
# #
# This log will contain a series of tests. Some of the files that are found #
# could be legitimate so do not delete anything without supervision. #
# #
# Please provide the output of this listing as a reply to the topic #
# where you are receiving help. #
# #
------------------------------------------------------------------------------


---- Test1: Files that contain the string getc.php? ----


---- Test2: Files that contain the string xaloH ----


---- Test3: Files that are packed with UPX ----

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:20 PM

Posted 08 January 2005 - 07:37 PM

Please post a new hijackthis log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users