Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Check my HJT log


  • Please log in to reply
30 replies to this topic

#1 biljana4b

biljana4b

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 10 January 2005 - 09:24 AM

Hi! I just recently removed a buldog-search.com hijacker from the system...but I'm still experiencing some problems - the system is running slow and I've been having some audio problems - all possible sounds (music also!) seem to be playing faster then they are suppose to.....I believe this buldog thing did some damage to my system files....
If someone can check my HJT log and give me some good piece of advice, it'll be greatly appreciated! :-)


Here's my logfile:


Logfile of HijackThis v1.99.0
Scan saved at 15:17:34, on 10.1.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Application Data\cstr.exe
C:\WINNT\system32\??rss.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINNT\winhlp32.exe
C:\Documents and Settings\Administrator\Desktop\INTERNET\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novi-informator.net/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MSAgent] C:\WINNT\hhnt.exe
O4 - HKCU\..\Run: [Tdec] C:\Documents and Settings\Administrator\Application Data\cstr.exe
O4 - HKCU\..\Run: [Sqp] C:\WINNT\system32\??rss.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:42 PM

Posted 10 January 2005 - 10:43 AM

Download the following file:

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip


and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

#3 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 10 January 2005 - 10:56 AM

here's my log...


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop\INTERNET\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

10.01.2005 16:09 222.677 ihsetup.dll
10.01.2005 16:08 225.473 r28s0cl7efq.dll
10.01.2005 16:07 <DIR> dllcache
10.01.2005 12:08 222.677 o8lu0i39e8.dll
10.01.2005 11:58 225.276 e0jmla111d.dll
10.01.2005 11:41 225.276 ndrsptb.dll
10.01.2005 09:56 225.276 itmpagnt.dll
05.01.2005 16:28 225.933 g6220gfoe62c0.dll
04.01.2005 17:01 223.723 fpl8033ue.dll
04.01.2005 16:00 225.677 q4nule591h.dll
04.01.2005 15:48 225.381 n8n6li5s18.dll
04.01.2005 15:33 223.802 lvp0097me.dll
04.01.2005 15:12 223.723 k2pm0c71ef.dll
04.01.2005 14:40 222.939 jt8007lme.dll
03.01.2005 12:56 223.688 l6n40g5qe6.dll
22.12.2004 20:19 389.120 ??rss.exe
15 File(s) 3.530.641 bytes
1 Dir(s) 34.097.479.680 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

10.01.2005 16:07 <DIR> dllcache
22.12.2004 20:19 389.120 ??rss.exe
23.08.2004 11:31 <DIR> GroupPolicy
23.08.2004 11:14 21.692 folder.htt
23.08.2004 11:14 271 desktop.ini
3 File(s) 411.083 bytes
2 Dir(s) 34.097.479.680 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

07.12.1999 05:00 2.577 CONFIG.TMP
1 File(s) 2.577 bytes
0 Dir(s) 34.097.479.680 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D84AB54C-B577-4634-83CC-267413DAC0DA}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\o8lu0i39e8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb03.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:42 PM

Posted 10 January 2005 - 11:39 AM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    c:\windows\system32\ihsetup.dll
  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


c:\windows\system32\r28s0cl7efq.dll
c:\windows\system32\o8lu0i39e8.dll
c:\windows\system32\e0jmla111d.dll
c:\windows\system32\ndrsptb.dll
c:\windows\system32\itmpagnt.dll
c:\windows\system32\g6220gfoe62c0.dll
c:\windows\system32\fpl8033ue.dll
c:\windows\system32\q4nule591h.dll
c:\windows\system32\n8n6li5s18.dll
c:\windows\system32\lvp0097me.dll
c:\windows\system32\k2pm0c71ef.dll
c:\windows\system32\jt8007lme.dll
c:\windows\system32\l6n40g5qe6.dll

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#5 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 10 January 2005 - 11:42 AM

hmmm. I forgot to mention that my system reboots occasionally (due to this problem I've got, I guess).....So it happened again......
That meens any help provided by looking at my last log is not gonna work now?
Should I run this FindIt file again and post a new log?

#6 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 11 January 2005 - 03:30 AM

Hi! I sent a post yesterday, but I haven't solve my problem yet...Since I'm in a different time zone then most of the users here, I wasn't able to wait for help further more, 'cause I had to go home, since the problem I'm having regards my computer at work...
So....
Recently I removed Buldog-search.com hijacker from my computer, but I'm still experiencing some problems - the system is running slow, computer reboots unexpectedly every now and then, and all the sounds that come from my speakers are played faster.
I've run Ad-Aware, Spybot, SpySubtract, Norton, Nod 32 many times...but no luck....
It seems that this buldog thing did some damage to my computer.....
Please help!

Here's my HJT log:


Logfile of HijackThis v1.99.0
Scan saved at 9:13:54, on 11.1.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Application Data\cstr.exe
C:\WINNT\system32\??rss.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\INTERNET\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novi-informator.net/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MSAgent] C:\WINNT\hhnt.exe
O4 - HKCU\..\Run: [Tdec] C:\Documents and Settings\Administrator\Application Data\cstr.exe
O4 - HKCU\..\Run: [Sqp] C:\WINNT\system32\??rss.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe


...............
and here's my Findit log:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop\INTERNET\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

11.01.2005 08:54 226.073 MKG4C32.DLL
10.01.2005 18:14 224.696 gp40l3hm1.dll
10.01.2005 18:07 226.073 ktpol7731.dll
10.01.2005 16:08 225.473 r28s0cl7efq.dll
10.01.2005 16:07 <DIR> dllcache
10.01.2005 11:58 225.276 e0jmla111d.dll
10.01.2005 11:41 225.276 ndrsptb.dll
10.01.2005 09:56 225.276 itmpagnt.dll
05.01.2005 16:28 225.933 g6220gfoe62c0.dll
04.01.2005 17:01 223.723 fpl8033ue.dll
04.01.2005 16:00 225.677 q4nule591h.dll
04.01.2005 15:48 225.381 n8n6li5s18.dll
04.01.2005 15:33 223.802 lvp0097me.dll
04.01.2005 15:12 223.723 k2pm0c71ef.dll
04.01.2005 14:40 222.939 jt8007lme.dll
03.01.2005 12:56 223.688 l6n40g5qe6.dll
22.12.2004 20:19 389.120 ??rss.exe
16 File(s) 3.762.129 bytes
1 Dir(s) 34.093.830.144 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

10.01.2005 16:07 <DIR> dllcache
22.12.2004 20:19 389.120 ??rss.exe
23.08.2004 11:31 <DIR> GroupPolicy
23.08.2004 11:14 21.692 folder.htt
23.08.2004 11:14 271 desktop.ini
3 File(s) 411.083 bytes
2 Dir(s) 34.093.830.144 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

07.12.1999 05:00 2.577 CONFIG.TMP
1 File(s) 2.577 bytes
0 Dir(s) 34.093.830.144 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D84AB54C-B577-4634-83CC-267413DAC0DA}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\ktpol7731.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb03.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Thanx! :-)

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:42 PM

Posted 11 January 2005 - 09:17 AM

biljana4b, I merged your topics. Please reply in the same topic - click the Add Reply button.

Grinler will help you when he is available.

That meens any help provided by looking at my last log is not gonna work now?

Yes please post every time a new find.bat log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 11 January 2005 - 09:28 AM

GRINLER....HELP ME! :thumbsup:
I'M WAITING FOR YOU...... :flowers:
:-)

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:42 PM

Posted 11 January 2005 - 11:00 AM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    c:\windows\system32\MKG4C32.DLL
  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


c:\windows\system32\gp40l3hm1.dll
c:\windows\system32\ktpol7731.dll
c:\windows\system32\r28s0cl7efq.dll
c:\windows\system32\e0jmla111d.dll
c:\windows\system32\ndrsptb.dll
c:\windows\system32\itmpagnt.dll
c:\windows\system32\g6220gfoe62c0.dll
c:\windows\system32\fpl8033ue.dll
c:\windows\system32\q4nule591h.dll
c:\windows\system32\n8n6li5s18.dll
c:\windows\system32\lvp0097me.dll
c:\windows\system32\k2pm0c71ef.dll
c:\windows\system32\jt8007lme.dll
c:\windows\system32\l6n40g5qe6.dll
C:\WINDOWS\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#10 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 11 January 2005 - 12:00 PM

thanx grinler :-)
but something bothers me.....every time you give me instructions, soon after I have to go home (since my infected computer is at work)...and it happens all the time....noone gives me any help before 3-4 p.m. (Central European Time)... I've already prosumed it was because of the time zone difference (you get up - I finish my job for that day)..so, when I'm just about to leave the company the help arrives and I haven't got time to fix the problem 'cause I have to leave the place....and when I come to work the next day, the help instructions obviously don't work because, in the meentime I shut down my computer (as I understand I am NOT suppose to do that in order to succeed fixing my computer)...so, I am wondering will it ever be possible with this kind of situation to fix the problem? (Don't ask me why I don't contact my administrator....he's lazy and doesn't have the slightest clue about this thing - for him the easiest thing is to reinstall windows, send an invoice to my boss and make an easy money!) I apologize if you find this boring, my I will not give up till I do everything I can to save my computer.........And it's not that I have noone to turn to, it's just I find this forum thing more affective........

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:42 PM

Posted 11 January 2005 - 12:09 PM

Is there any way you can leave your computer on over night? Are you at your work computer now?

#12 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 11 January 2005 - 12:19 PM

no, i'm not.....i'm at home....ok....tomorrow I'll send you new both HJT and Find.bat log, and you tell me what files and directories to remove or else, and I'll leave my computer on over night and will try to fix the problem the next morning....I'm just hoping my computer is not gonna reboot by itself (since this is one part of the problem)....

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:42 PM

Posted 11 January 2005 - 12:33 PM

Leave a program open whenyou go home so that you can tell if its reboots the next day

#14 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 11 January 2005 - 12:40 PM

ok...I'll do that.....tomorrow morning I'll send you fresh logs and when you drop py at the site give me instructions....we'll see the next day what I've done...
thanx again! biljana

#15 biljana4b

biljana4b
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:42 PM

Posted 12 January 2005 - 03:39 AM

Hi, Grinler.....
I'm sending my new HJT log and Find.bat log.....I'm expecting your post with further instructions...I'll leave my computer on over night, as you told me yesterday......


Here's my HJT log:


Logfile of HijackThis v1.99.0
Scan saved at 9:19:46, on 12.1.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SOPHOS\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\??rss.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\Application Data\cstr.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\INTERNET\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novi-informator.net/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MSAgent] C:\WINNT\hhnt.exe
O4 - HKCU\..\Run: [Sqp] C:\WINNT\system32\??rss.exe
O4 - HKCU\..\Run: [Tdec] C:\Documents and Settings\Administrator\Application Data\cstr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{50984133-1B91-4741-8A12-1DE706D647D8}: NameServer = 195.29.150.3,195.29.150.4
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe



Here's my Find.bat log:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Administrator\Desktop\INTERNET\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

11.01.2005 16:59 226.073 en66l1js1.dll
10.01.2005 18:14 224.696 gp40l3hm1.dll
10.01.2005 16:08 225.473 r28s0cl7efq.dll
10.01.2005 16:07 <DIR> dllcache
10.01.2005 11:58 225.276 e0jmla111d.dll
10.01.2005 11:41 225.276 ndrsptb.dll
10.01.2005 09:56 225.276 itmpagnt.dll
05.01.2005 16:28 225.933 g6220gfoe62c0.dll
04.01.2005 17:01 223.723 fpl8033ue.dll
04.01.2005 16:00 225.677 q4nule591h.dll
04.01.2005 15:48 225.381 n8n6li5s18.dll
04.01.2005 15:33 223.802 lvp0097me.dll
04.01.2005 15:12 223.723 k2pm0c71ef.dll
04.01.2005 14:40 222.939 jt8007lme.dll
03.01.2005 12:56 223.688 l6n40g5qe6.dll
22.12.2004 20:19 389.120 ??rss.exe
15 File(s) 3.536.056 bytes
1 Dir(s) 34.059.337.728 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

10.01.2005 16:07 <DIR> dllcache
22.12.2004 20:19 389.120 ??rss.exe
23.08.2004 11:31 <DIR> GroupPolicy
23.08.2004 11:14 21.692 folder.htt
23.08.2004 11:14 271 desktop.ini
3 File(s) 411.083 bytes
2 Dir(s) 34.059.337.728 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

12.01.2005 09:03 224.696 guard.tmp
1 File(s) 224.696 bytes
0 Dir(s) 34.059.337.728 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is A8D8-587B

Directory of C:\WINNT\System32

12.01.2005 09:03 224.696 guard.tmp
07.12.1999 05:00 2.577 CONFIG.TMP
2 File(s) 227.273 bytes
0 Dir(s) 34.059.337.728 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D84AB54C-B577-4634-83CC-267413DAC0DA}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\gp40l3hm1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb03.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


....I just hope my computer is not gonna reboot.....keep your fingers crossed :-)
Regards, Biljana....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users