Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - wkwchan


  • Please log in to reply
3 replies to this topic

#1 wkwchan

wkwchan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 13 January 2005 - 09:38 PM

Another one of my computers got infected with spyware. This time, hijackthis v1.99 crashes. Here's the log from v1.98.2. Please help.

Thanx.

William


Logfile of HijackThis v1.98.2
Scan saved at 6:34:48 PM, on 1/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
D:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\System32\kkyvgy.exe
C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe
C:\Documents and Settings\Valued Sony Customer\Application Data\hhio.exe
C:\WINDOWS\System32\lflc32gt.exe
C:\WINDOWS\System32\?ttrib.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
D:\will\downloads\hijackthis\v1_98_2\HijackThis1982\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AS00_Gear511] d:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [Ecta] C:\Documents and Settings\Valued Sony Customer\Application Data\hhio.exe
O4 - HKCU\..\Run: [Z9smRXKnS] lflc32gt.exe
O4 - HKCU\..\Run: [Itg] C:\WINDOWS\System32\?ttrib.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:21 PM

Posted 14 January 2005 - 08:09 PM

Wow..you have a few different things going on in there. This is going to be a lengthy process.. :thumbsup:

To remove Wintools,

1. Boot into SAFE MODE by tapping the f8 key during boot up.
2. Kill running entries by ctrl, alt and del for Wintools. (Kill all references to anything that has Wintools in it.)
3. Uninstall Wintools from Add/Remove. It will prompt for reboot. Do that and reboot.

**************

HijackThis needs to be run from somewhere within your root drive so that we can save the backups. Otherwise if there is a problem, there will be no way to recover.

**************

Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of calsp.dll and nothing else . Reboot.


**************
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
Please do not reboot until I reply back. File names will change and new ones added if you do.

#3 wkwchan

wkwchan
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:21 PM

Posted 15 January 2005 - 02:37 AM

Here's the findit log.

Thanx.

William

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: D:\will\downloads\finditnt2000xp\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 1A5E-0FD4

Directory of C:\WINDOWS\System32

01/14/2005 05:59 PM 223,872 k4pmle711h.dll
01/14/2005 05:55 PM 225,307 mv6ml9j11.dll
01/13/2005 06:02 PM 223,872 lvj6091se.dll
01/13/2005 05:31 PM 224,961 mv80l9lm1.dll
01/12/2005 10:18 AM 223,872 l0j8la1u1d.dll
01/12/2005 12:03 AM 223,872 l8n40i5qe8.dll
01/08/2005 10:17 PM 224,466 lv8609lse.dll
01/07/2005 10:00 PM 223,168 lvp6097se.dll
01/07/2005 04:44 PM 223,168 fpj2031oe.dll
01/07/2005 12:53 PM 223,168 i024lafq1d2e.dll
01/07/2005 12:44 PM 224,623 irn4l55q1.dll
01/06/2005 08:57 PM 223,636 fp0203doe.dll
01/01/2005 01:01 AM 224,640 l4j80e1ueh.dll
12/30/2004 10:52 AM 224,943 irp2l57o1.dll
12/27/2004 04:12 AM 226,180 l40u0ed9eh0.dll
12/22/2004 11:21 AM 389,120 ?ttrib.exe
12/21/2004 11:12 PM 224,622 ir6ul5j91.dll
12/21/2004 10:55 PM 224,622 oobccr32.dll
09/14/2002 10:56 PM <DIR> Microsoft
09/14/2002 10:01 PM <DIR> dllcache
08/29/2002 03:41 AM 569,344 oleaut32.dll
08/29/2002 03:41 AM 401,462 msvcp60.dll
08/29/2002 03:41 AM 323,072 msvcrt.dll
08/23/2001 03:00 PM 50,688 msvcirt.dll
08/23/2001 03:00 PM 995,383 mfc42.dll
08/23/2001 03:00 PM 106,496 olepro32.dll
08/23/2001 03:00 PM 9,728 regsvr32.exe
25 File(s) 6,658,285 bytes
2 Dir(s) 483,864,576 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 1A5E-0FD4

Directory of C:\WINDOWS\System32

01/14/2005 05:32 PM <DIR> vmss
01/14/2005 05:32 PM <DIR> wsxsvc
12/22/2004 11:21 AM 389,120 ?ttrib.exe
01/16/2003 11:10 AM <DIR> GroupPolicy
09/14/2002 10:28 PM 488 logonui.exe.manifest
09/14/2002 10:28 PM 488 WindowsLogon.manifest
09/14/2002 10:28 PM 749 cdplayer.exe.manifest
09/14/2002 10:28 PM 749 sapi.cpl.manifest
09/14/2002 10:28 PM 749 ncpa.cpl.manifest
09/14/2002 10:28 PM 749 nwc.cpl.manifest
09/14/2002 10:28 PM 749 wuaucpl.cpl.manifest
09/14/2002 10:01 PM <DIR> dllcache
08/29/2002 03:41 AM 569,344 oleaut32.dll
08/29/2002 03:41 AM 323,072 msvcrt.dll
08/29/2002 03:41 AM 401,462 msvcp60.dll
08/23/2001 03:00 PM 50,688 msvcirt.dll
08/23/2001 03:00 PM 995,383 mfc42.dll
08/23/2001 03:00 PM 9,728 regsvr32.exe
08/23/2001 03:00 PM 106,496 olepro32.dll
04/17/2000 01:51 PM 13,122 folder.htt
16 File(s) 2,863,136 bytes
4 Dir(s) 483,860,480 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 1A5E-0FD4

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 1A5E-0FD4

Directory of C:\WINDOWS\System32

08/03/2004 11:56 PM 1,236,480 ~GLH0014.TMP
08/23/2001 03:00 PM 2,577 CONFIG.TMP
01/05/2000 03:10 PM 614,672 VIS4fb1.TMP
3 File(s) 1,853,729 bytes
0 Dir(s) 483,852,288 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F4C546FD-84B1-4395-8C6D-F12587310605}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run-]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv6ml9j11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\SYSTEM32\aazinz.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\qqplap.exe: updates.qoologic.com
C:\WINDOWS\SYSTEM32\ppglqg.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\kkyvgy.exe: .aspack
C:\WINDOWS\SYSTEM32\vvqwkq.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\nnykiy.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SystemTray"="SysTray.Exe"
"ZingSpooler"="C:\\Program Files\\Common Files\\Zing\\ZingSpooler.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AS00_Gear511"="d:\\Program Files\\NETGEAR\\WG511SCU\\Utility\\Gear511.exe -hide"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"
"SStb.exe"="SStb.exe"
"VBouncer"="C:\\PROGRA~1\\VBOUNCER\\VirtualBouncer.exe"
"Narrator"="C:\\WINDOWS\\System32\\kkyvgy.exe"
"kalvsys"="C:\\windows\\system32\\kalvtph32.exe"
"ntechin"="C:\\WINDOWS\\system32\\n20050308.exe"
"Dvx"="C:\\WINDOWS\\System32\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINDOWS\\System32\\vmss\\vmss.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:21 PM

Posted 15 January 2005 - 10:29 AM

  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location.
  • Disconnect from internet and shut down all running programs
  • Double-click on KillBox.exe.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\k4pmle711h.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\mv6ml9j11.dll
    • C:\WINDOWS\System32\lvj6091se.dll
    • C:\WINDOWS\System32\mv80l9lm1.dll
    • C:\WINDOWS\System32\l0j8la1u1d.dll
    • C:\WINDOWS\System32\l8n40i5qe8.dll
    • C:\WINDOWS\System32\lv8609lse.dll
    • C:\WINDOWS\System32\lvp6097se.dll
    • C:\WINDOWS\System32\fpj2031oe.dll
    • C:\WINDOWS\System32\024lafq1d2e.dll
    • C:\WINDOWS\System32\rn4l55q1.dll
    • C:\WINDOWS\System32\fp0203doe.dll
    • C:\WINDOWS\System32\l4j80e1ueh.dll
    • C:\WINDOWS\System32\irp2l57o1.dll
    • C:\WINDOWS\System32\l40u0ed9eh0.dll
    • C:\WINDOWS\System32\ir6ul5j91.dll
    • C:\WINDOWS\System32\oobccr32.dll
    • C:\WINDOWS\System32\aazinz.dll
    • C:\WINDOWS\System32\qqplap.exe
    • C:\WINDOWS\System32\ppglqg.dll
    • C:\WINDOWS\System32\kkyvgy.exe
    • C:\WINDOWS\System32\vvqwkq.dat
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste this file into the top "Full Path of File to Delete" box.
    • C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\nnykiy.exe
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. Allow machine to reboot.
Rerun the find it.bat, and post the log in here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users