Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.agent.at/ Smitfraud-c.toolbar888/ Psapianalyzer


  • This topic is locked This topic is locked
21 replies to this topic

#1 Uralten

Uralten

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 03 June 2007 - 10:30 PM

About a week ago, I caught some kind of malware that I cannot get rid of. I'm not even sure how I caught it...I check AdAware and Spybot almost every day for updates, run scans whenever those programs are updated, use the Immunization feature of Spybot, keep all my Windows patches and updates completely up-to-date, and have current versions of ZoneAlarm's firewall and McAfee's Security Center with VirusScan 11 running on my computer all the time. There's also a router between my computer and the internet. Still, something got through....

I first noticed the problem because Internet Explorer is suffering from pop-ups that take me to various advertising sites. I immediately ran both AdAware and Spybot scans when I first noticed this behavior. AdAware doesn't seem to find much, but SpyBot consistently finds Win32.Agent.at with four sub-entries, the first for a browser helper object, the second for a Class ID, and the last two for Root Classes Psapianalyzer.1 and Psapianalyzer. It was by Googling Psapianalyzer that I found this website.

I followed all the steps in your "Preparation Guide for Use" before posting, except that I did not download a different virus scanner, but just used my installed McAfee instead. Stinger found nothing. When I installed and tried to run HJT, it generated a log file, but also an error message that said that it had generated errors, was being closed by Windows, and would have to be re-started. I rebooted, reinstalled, and tried again, with similar results. However, if I click the button to just run the program, and then from the main program screen click the button to just run a scan (in other words, to just scan, rather than scan and write a log), it will complete the scan without crashing, and that scan looks just like the one created during the crash, but without the running processes section. I suppose that means this is a complete log file, even though it seems way shorter than the other ones I've seen while researching this problem on other web sites.

The only real remedial step I've taken (before seeking expert help, anyway) was to download Registrar Lite and try to take possession of the two Psapianalyzer root-class entries and delete them, but that didn't work. They come back as soon as they are deleted. On some SpyBot scans, it simply removes both of them when I click on the "Fix Problems" button, while on others, it says it cannot do so without a reboot, and asks permission to run on reboot. When that permission is given, SpyBot runs by itself before the desktop loads, finds the same four Win32.Agent.at entries, and claims to have deleted them. A quick check with the registry editor shows they immediately come back.

I also note that there are a couple of new entries in the "System Startup" listing in SpyBot's Tools tab since this has started. They are entries for combd (loading from c:\winnt\inf\combd.dll), hggebaa (loading from hggebaa.dll), and nnlkj (loading from C:\winnt\system32\nnlkj.dll). SpyBot says these are loading from System.ini, but I've looked at my System.ini file and there's no mention of these files (or much of anything else) in there. As with the Psapianalyzer entries that SpyBot finds, when I check these to disable them, new non-disabled ones regenerate on reboot. The underlying files also cannot be deleted, because they are "in use by Windows."

Here is the (maybe partial) log that HJT generated before it crashed. Any suggestions would be greatly appreciated.

Uralten

Logfile of HijackThis v1.99.1
Scan saved at 9:52:26 PM, on 6/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Programs\VPN\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\svchost.exe
C:\Programs\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Programs\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Programs\Utils\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Programs\Utils\FileEx\FileEx.exe
C:\Programs\Utils\Corral\iconcorl.exe
C:\Programs\Utils\KeyText\KeyText.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Programs\Utils\Moon\MoonIcon.exe
C:\System\Mouse\MouseWare\system\em_exec.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Programs\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programs\Utils\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINNT\system32\xcjdlmen.dll",realset
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: File-Ex.lnk = C:\Programs\Utils\FileEx\FileEx.exe
O4 - Global Startup: Icon Corral.lnk = C:\Programs\Utils\Corral\iconcorl.exe
O4 - Global Startup: KeyText.lnk = C:\Programs\Utils\KeyText\KeyText.exe
O4 - Global Startup: Moon Phase Icon.lnk = C:\Programs\Utils\Moon\MoonIcon.exe
O4 - Global Startup: Password Keeper.lnk = C:\Programs\Utils\PassKeep\PassKeep.exe
O4 - Global Startup: TrayDay.lnk = C:\Programs\Utils\TrayDay\TrayDay.exe
O4 - Global Startup: OnTime.lnk = C:\Programs\OTW\OTWIN.EXE
O4 - Global Startup: VPN Client.lnk = C:\Programs\VPN\ipsecdialer.exe
O4 - Global Startup: Organizer.lnk = C:\Lotus\organize\org6.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programs\VPN\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programs\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 04 June 2007 - 02:32 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Uralten :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

**************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


**************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to xyz.bat
Double click on xyz.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Uralten

Uralten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 June 2007 - 10:53 AM

Hey, Richie, thanks for the welcome, and for the help!

I followed the steps you suggested, and things seem to have gone well generally, but there were a few glitches. While I don't know if they are significant, I'll tell you about them anyway, and let YOU decide, since you're the one who knows what he's doing. :-)

When I ran VundoFix.exe, it scanned, listed about fifteen located files, and began the deletion process. Right before the reboot, it gave an error message saying something along the lines of "Cannot import c:\vundofix.reg," which it attributed to a possible disk or hardware error. My hard drives are only about two months old, and have never produced any error messages or Event Viewer entries in that time. After the reboot, VundoFix did NOT restart, so I assume that means it successfully deleted all the files. My Event Viewer does show an entry stating "The VundoFix Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action."

When I ran ComboFix.exe, the experience was similar. It appeared to run fine, but then generated two error messages. The first one said that my maximum registry file size was set too low...even though, when I checked it later, the maximum was set to 54 megs and the actual size was only 31 megs. My Event Viewer does show an entry stating "Application popup: Windows - Low On Registry Space : Your maximum registry size is too small. To ensure that Windows runs properly, increase your maximum registry size. For more information, see Help." The other error message appeared in a window with "Registry Editor" in the title bar and the message "Cannot import creg.cf. Error in accessing the registry." ComboFix also did not create a log file, but after a while, it DID display a log in Notepad, which I saved as ComboFixLog.txt. My Event Viewer does show an entry stating "The combofix service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion."

When I renamed HJT to xyz.bat and ran it by clicking the scan + log button, it actually ran to completion (the first time it has done so on my computer).

I have not done any checking to see if my computer is now running correctly, but I did notice that, when IE started to allow me to make this posting, ONLY this one instance started, and there were no extra IE windows with ads in them. That's promising! :-)

Here are the log files you requested:

1. VundoFix.txt

VundoFix V6.4.2

Checking Java version...

Sun Java not detected
Scan started at 9:52:53 AM 6/4/2007

Listing files found while scanning....

c:\winnt\inf\comdb.dll
C:\WINNT\system32\ddcwkdqw.dll
C:\WINNT\system32\fiqqmibr.dll
C:\WINNT\system32\hggebaa.dll
C:\WINNT\system32\jkblhvcs.dll
C:\WINNT\system32\jklnn.bak1
C:\WINNT\system32\jklnn.bak2
C:\WINNT\system32\jklnn.ini
C:\WINNT\system32\khfecdc.dll
C:\WINNT\system32\nemldjcx.ini
C:\WINNT\system32\nnlkj.dll
C:\WINNT\system32\urqoomm.dll
C:\WINNT\system32\utstv.ini
C:\WINNT\system32\vtstu.dll
C:\WINNT\system32\xcjdlmen.dll

Beginning removal...

Attempting to delete c:\winnt\inf\comdb.dll
c:\winnt\inf\comdb.dll Has been deleted!

Attempting to delete C:\WINNT\system32\fiqqmibr.dll
C:\WINNT\system32\fiqqmibr.dll Has been deleted!

Attempting to delete C:\WINNT\system32\hggebaa.dll
C:\WINNT\system32\hggebaa.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jkblhvcs.dll
C:\WINNT\system32\jkblhvcs.dll Has been deleted!

Attempting to delete C:\WINNT\system32\jklnn.bak1
C:\WINNT\system32\jklnn.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\jklnn.bak2
C:\WINNT\system32\jklnn.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\jklnn.ini
C:\WINNT\system32\jklnn.ini Has been deleted!

Attempting to delete C:\WINNT\system32\khfecdc.dll
C:\WINNT\system32\khfecdc.dll Has been deleted!

Attempting to delete C:\WINNT\system32\nemldjcx.ini
C:\WINNT\system32\nemldjcx.ini Has been deleted!

Attempting to delete C:\WINNT\system32\nnlkj.dll
C:\WINNT\system32\nnlkj.dll Has been deleted!

Attempting to delete C:\WINNT\system32\urqoomm.dll
C:\WINNT\system32\urqoomm.dll Has been deleted!

Attempting to delete C:\WINNT\system32\utstv.ini
C:\WINNT\system32\utstv.ini Has been deleted!

Attempting to delete C:\WINNT\system32\vtstu.dll
C:\WINNT\system32\vtstu.dll Has been deleted!

Attempting to delete C:\WINNT\system32\xcjdlmen.dll
C:\WINNT\system32\xcjdlmen.dll Has been deleted!

Performing Repairs to the registry.
Done!

2. ComboFixLog.txt

"Uralten" - 06/04/2007 10:09:35 Service Pack 4
ComboFix 07-06-4 - Running from: "C:\Documents and Settings\Uralten\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\wxkpaemi.exe

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\URALTEN\APPLIC~1.\macromedia\Flash Player\#SharedObjects\KZP9DMAU\www.broadcaster.com
C:\DOCUME~1\URALTEN\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\inf\ntp2.ini
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\packet.dll
C:\WINNT\system32\pthreadVC.dll
C:\WINNT\system32\wanpacket.dll
C:\WINNT\system32\wpcap.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))

2007-06-04 10:13 <DIR> d-------- C:\Temp\3.tmp
2007-06-04 09:52 <DIR> d-------- C:\VundoFix Backups
2007-06-03 19:33 2,580 --a------ C:\WINNT\system32\cuqnogoh.exe
2007-06-01 21:47 2,580 --a------ C:\WINNT\system32\ljpdyexr.exe
2007-06-01 11:22 <DIR> d-------- C:\Program Files\Registrar Lite
2007-05-24 20:32 69,824 --a------ C:\WINNT\system32\drivers\LxrJD31d.sys
2007-05-24 20:32 61,440 --a------ C:\WINNT\system32\LxrJD20Sat.dll
2007-05-24 20:32 53,248 --a------ C:\WINNT\system32\LxrJD31s.exe
2007-05-24 20:32 249,856 --a------ C:\WINNT\system32\LxrJD31.dll
2007-05-24 20:32 167,936 --a------ C:\WINNT\system32\LxrJD31c.exe
2007-05-24 20:32 146,432 --a------ C:\WINNT\system32\LxrJD31p.exe
2007-05-10 09:36 <DIR> d-------- C:\WINNT\nview
2007-05-10 09:31 176,128 --a------ C:\WINNT\system32\nvudisp.exe
2007-05-10 09:18 208,896 --a------ C:\WINNT\system32\NVUNINST.EXE
2007-05-09 09:55 1,632 --a------ C:\WINNT\system32\d3d8caps.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-23 23:18:56 1,744 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-04-09 14:46:06 -------- d-----w C:\Program Files\VIA Technologies, Inc
2007-04-05 14:48:36 4,212 ---h--w C:\WINNT\system32\zllictbl.dat
2007-04-05 07:17:40 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-03-13 09:44:50 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL
2007-03-09 05:02:00 75,512 ----a-w C:\WINNT\zllsputility.exe
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINNT\system32\zpeng24.dll
2007-03-06 11:17:48 381,200 ----a-w C:\WINNT\system32\USER32.DLL
2007-03-06 11:17:46 38,160 ----a-w C:\WINNT\system32\mf3216.dll
2007-03-06 11:17:46 235,280 ----a-w C:\WINNT\system32\GDI32.DLL
2007-03-06 06:12:22 1,641,936 ----a-w C:\WINNT\system32\WIN32K.SYS

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [06-12-18 04:16 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Programs\Utils\SpyBot\SDHelper.dll [05-05-31 01:04 ]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll [06-12-22 16:02 ]
{C3231A73-A39D-47BE-A08F-A7B937A6F30B}=C:\WINNT\system32\nnlkj.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [03-12-17 09:50 C:\WINNT\LOGI_MWX.EXE]
"InCD"="C:\Programs\Ahead\InCD\InCD.exe" [04-08-27 02:01 ]
"Tweak UI"="TWEAKUI.CPL" [96-11-08 14:33 C:\WINNT\system32\TWEAKUI.CPL]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [05-12-04 16:38 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 C:\WINNT\system32\mobsync.exe]
"ZoneAlarm Client"="C:\Programs\Utils\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\WEATHER.exe" [06-01-06 09:57 ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [06-11-07 09:29 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=00000000
"NoStartBanner"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-21 15:42:02 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-02 00:05:32 C:\WINNT\tasks\Daily.job
2007-06-02 00:15:14 C:\WINNT\tasks\Outlook.job
2007-05-30 00:30:38 C:\WINNT\tasks\System State.job
2007-05-31 22:25:30 C:\WINNT\tasks\CD-RW Backup.job
2007-05-30 00:45:12 C:\WINNT\tasks\Identities.job
2007-06-01 18:00:14 C:\WINNT\tasks\McQcTask.job

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINNT\system32\wxkpaemi.exe

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\URALTEN\APPLIC~1.\macromedia\Flash Player\#SharedObjects\KZP9DMAU\www.broadcaster.com
C:\DOCUME~1\URALTEN\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINNT\inf\ntp2.ini
C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\packet.dll
C:\WINNT\system32\pthreadVC.dll
C:\WINNT\system32\wanpacket.dll
C:\WINNT\system32\wpcap.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 )))))))))))))))))))))))))))))))

2007-06-04 10:14 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_760.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-23 23:18:56 1,744 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-04-09 14:46:06 -------- d-----w C:\Program Files\VIA Technologies, Inc
2007-04-05 14:48:36 4,212 ---h--w C:\WINNT\system32\zllictbl.dat
2007-04-05 07:17:40 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-03-13 09:44:50 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL
2007-03-09 05:02:00 75,512 ----a-w C:\WINNT\zllsputility.exe
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINNT\system32\zpeng24.dll
2007-03-06 11:17:48 381,200 ----a-w C:\WINNT\system32\USER32.DLL
2007-03-06 11:17:46 38,160 ----a-w C:\WINNT\system32\mf3216.dll
2007-03-06 11:17:46 235,280 ----a-w C:\WINNT\system32\GDI32.DLL
2007-03-06 06:12:22 1,641,936 ----a-w C:\WINNT\system32\WIN32K.SYS

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [06-12-18 04:16 ]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Programs\Utils\SpyBot\SDHelper.dll [05-05-31 01:04 ]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll [06-12-22 16:02 ]
{C3231A73-A39D-47BE-A08F-A7B937A6F30B}=C:\WINNT\system32\nnlkj.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [03-12-17 09:50 C:\WINNT\LOGI_MWX.EXE]
"InCD"="C:\Programs\Ahead\InCD\InCD.exe" [04-08-27 02:01 ]
"Tweak UI"="TWEAKUI.CPL" [96-11-08 14:33 C:\WINNT\system32\TWEAKUI.CPL]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [05-12-04 16:38 ]
"Synchronization Manager"="mobsync.exe" [03-06-19 13:05 C:\WINNT\system32\mobsync.exe]
"ZoneAlarm Client"="C:\Programs\Utils\ZoneAlarm\zlclient.exe" [07-03-09 00:02 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\WEATHER.exe" [06-01-06 09:57 ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [06-11-07 09:29 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=00000000
"NoStartBanner"=01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-21 15:42:02 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-02 00:05:32 C:\WINNT\tasks\Daily.job
2007-06-02 00:15:14 C:\WINNT\tasks\Outlook.job
2007-05-30 00:30:38 C:\WINNT\tasks\System State.job
2007-05-31 22:25:30 C:\WINNT\tasks\CD-RW Backup.job
2007-05-30 00:45:12 C:\WINNT\tasks\Identities.job
2007-06-01 18:00:14 C:\WINNT\tasks\McQcTask.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 10:20:01
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-04 10:20:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-04 10:20

--- E O F ---

3. HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 10:22:24 AM, on 6/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Programs\VPN\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINNT\System32\svchost.exe
C:\Programs\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\CMD.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\ComboFix\19593.cfexe
C:\Programs\Ahead\InCD\InCD.exe
C:\System\Mouse\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Programs\Utils\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Programs\Utils\FileEx\FileEx.exe
C:\Programs\Utils\Corral\iconcorl.exe
C:\Programs\Utils\KeyText\KeyText.exe
C:\Programs\Utils\Moon\MoonIcon.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Programs\Utils\TrayDay\TrayDay.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINNT\system32\CHKDSK.EXE
C:\ComboFix\sed.cfexe
C:\WINNT\system32\CMD.EXE
C:\WINNT\system32\findstr.exe
C:\ComboFix\sed.cfexe
C:\Program Files\HijackThis\xyz.bat

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\Utils\SpyBot\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {C3231A73-A39D-47BE-A08F-A7B937A6F30B} - C:\WINNT\system32\nnlkj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Programs\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programs\Utils\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: File-Ex.lnk = C:\Programs\Utils\FileEx\FileEx.exe
O4 - Global Startup: Icon Corral.lnk = C:\Programs\Utils\Corral\iconcorl.exe
O4 - Global Startup: KeyText.lnk = C:\Programs\Utils\KeyText\KeyText.exe
O4 - Global Startup: Moon Phase Icon.lnk = C:\Programs\Utils\Moon\MoonIcon.exe
O4 - Global Startup: Password Keeper.lnk = C:\Programs\Utils\PassKeep\PassKeep.exe
O4 - Global Startup: TrayDay.lnk = C:\Programs\Utils\TrayDay\TrayDay.exe
O4 - Global Startup: OnTime.lnk = C:\Programs\OTW\OTWIN.EXE
O4 - Global Startup: VPN Client.lnk = C:\Programs\VPN\ipsecdialer.exe
O4 - Global Startup: Organizer.lnk = C:\Lotus\organize\org6.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programs\VPN\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programs\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 04 June 2007 - 11:36 AM

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINNT\system32\cuqnogoh.exe
C:\WINNT\system32\ljpdyexr.exe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

********************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {C3231A73-A39D-47BE-A08F-A7B937A6F30B} - C:\WINNT\system32\nnlkj.dll (file missing)

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#5 Uralten

Uralten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 04 June 2007 - 07:24 PM

Hey, Richie, I tried to follow your most recent instructions, but again was plagued with some glitches. Here's what happened.

Step One: Downloaded OTMoveIt, copied two paths into it as you suggested, clicked the MoveIt! button, and got an indication that the move was successful. Closed OTMoveIt without a reboot, since it did not indicate these files could not be moved. A search with Windows Search shows the only two instances of the two moved files are now in C:\_OtMoveIt\MovedFiles\Winnt\System 32. They are no longer in my System32 folder.

Step Two: Downloaded AGV Anti-Spyware 7.5, completed all the updates and scanner settings you suggested without any problems. I now have an AVG icon in my system tray, and the roll-over message says it was last updated 6/4/07 (today).

Step Three: Reboot into safe mode. I was unable to complete this step. I can get to the F8 menu without any problems, and selected straight Safe Mode (without any network or command-prompt-only choices), which immediately led to a BSOD with the Stop Error 0xA and the message "IRQL_NOT_LESS_OR_EQUAL." I wrote down all the hex numbers, but doubt you'd find them helpful (although I can post them if you'd like). The actual error message was "Address 80464199, base at 84=0400000, Date Stamp 45ec3c8f -- ntoskern.exe." I tried booting into Safe Mode a second time, and got the exact same BSOD at the same point.

Step Four: I tried a normal boot, just to see if my machine was really dead, and (to my mild surprise) it booted into Windows without a hiccup. I then returned to the forum to begin writing this post. Because I was unable to get into Safe Mode, I was unable to run HJT or AVG while there.

Step Five: Just for fun, I went ahead and ran HJT again (as xyz.bat) while running regular Windows, and created a new log file, which is attached below. The entry you wanted me to fix while running HJT in safe mode (the BHO for the missing nnlkj.dll) is still there.

While my computer was running over the course of the day, it appeared that all of my pop-up problems were gone. I ran another SpyBot scan, and for the first time since this problem started, it did NOT find anything related to Win32.Agent.At. I also verified with Registry Editor that the two Psapianalyzer entries that formerly could not be deleted are gone.

Finally, while trying to clean up some of the files that were left scattered on my hard drive by this morning's efforts, but before starting the tasks detailed in this post, I noticed that there was a folder named C:\ComboFix, and when I tried to move it to a new "Virus" subdirectory I created to keep all of this stuff on one place, I got an error message that one file in the ComboFix directory (fatRK.cf) could not be moved because it was in sue by Windows. Now that I've completed the steps outlined in this post, I was able to move that file to its new home (C:\Programs\Utils\Virus\ComboFix) without any error messages. I don't know if this is relevant to anything, but thought I'd tell you about it.

That's about all I can report at this time. Please let me know if you'd like for me to perform any other steps, or if you have any ideas about why my computer does not want to boot into Safe Mode. Thanks again for all your help, which IS making noticeable improvements!

HJT Log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:02:22 PM, on 6/4/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Programs\VPN\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\Programs\Ahead\InCD\InCDsrv.exe
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\System\Mouse\MouseWare\system\em_exec.exe
C:\Programs\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Programs\Utils\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\AIM6\aim6.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Programs\Utils\FileEx\FileEx.exe
C:\Programs\Utils\Corral\iconcorl.exe
C:\Programs\Utils\KeyText\KeyText.exe
C:\Programs\Utils\Moon\MoonIcon.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Programs\Utils\TrayDay\TrayDay.exe
C:\WINNT\system32\ntvdm.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Programs\Utils\Virus\HiJack\xyz.bat

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\Utils\SpyBot\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {C3231A73-A39D-47BE-A08F-A7B937A6F30B} - C:\WINNT\system32\nnlkj.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Programs\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programs\Utils\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: File-Ex.lnk = C:\Programs\Utils\FileEx\FileEx.exe
O4 - Global Startup: Icon Corral.lnk = C:\Programs\Utils\Corral\iconcorl.exe
O4 - Global Startup: KeyText.lnk = C:\Programs\Utils\KeyText\KeyText.exe
O4 - Global Startup: Moon Phase Icon.lnk = C:\Programs\Utils\Moon\MoonIcon.exe
O4 - Global Startup: Password Keeper.lnk = C:\Programs\Utils\PassKeep\PassKeep.exe
O4 - Global Startup: TrayDay.lnk = C:\Programs\Utils\TrayDay\TrayDay.exe
O4 - Global Startup: OnTime.lnk = C:\Programs\OTW\OTWIN.EXE
O4 - Global Startup: VPN Client.lnk = C:\Programs\VPN\ipsecdialer.exe
O4 - Global Startup: Organizer.lnk = C:\Lotus\organize\org6.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programs\VPN\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programs\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 June 2007 - 06:55 AM

Step Three: Reboot into safe mode. I was unable to complete this step. I can get to the F8 menu without any problems, and selected straight Safe Mode (without any network or command-prompt-only choices), which immediately led to a BSOD with the Stop Error 0xA and the message "IRQL_NOT_LESS_OR_EQUAL." I wrote down all the hex numbers, but doubt you'd find them helpful (although I can post them if you'd like). The actual error message was "Address 80464199, base at 84=0400000, Date Stamp 45ec3c8f -- ntoskern.exe." I tried booting into Safe Mode a second time, and got the exact same BSOD at the same point.

Your problem here is Nero INcd,you need to visit the Nero/Ahead website,download/install the latest version of INcd.

****************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {C3231A73-A39D-47BE-A08F-A7B937A6F30B} - C:\WINNT\system32\nnlkj.dll (file missing)

****************************

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log please.

Posted Image
Posted Image

#7 Uralten

Uralten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 05 June 2007 - 12:38 PM

Hey, Richie, I guess I owe you an apology! I'm usually very good about keeping all the software on my computer up-to-date, but once I started using iTunes to manage my digital music, I quit using Nero for anything but data-file management, and because I wasn't using it regularly, I never thought to keep it updated. As you stated, my out-of-date InCD program was the source of my inability to boot into Safe Mode. For now, I simply deleted InCD all together, and will reinstall the new version (which I've downloaded already) once we get done fixing everything else that's wrong. Again, I'm sorry I came into the forum "unprepared" by virtue of having outdated software.

Once I could successfully boot into Safe Mode, I performed (or, at least, tried to perform) the steps you recommended be done in Safe Mode yesterday. I was able to run HJT in Safe Mode and delete the BHO entry for nnlkj.dll. When I tried to run AVG A-S, however, I got a pop-up box with the title "AVG Anti-Spyware 7.5 Error" and the message "Connection to Service Failed. Please reinstall AVG Anti-Spyware 7.5." I then rebooted into Safe Mode with Network Support, thinking perhaps A-S wanted to verify its data files were up to date, but got the same message again. Reinstalling while in regular Windows, updating again, and returning to Safe Mode didn't change anything.

I then rebooted normally and ran A-S under regular Windows, to see if it would find anything. After doing fully updated Ad-Aware, SpyBot, and McAfee VirusScan scans last night, A-S found 51 entries. Although I had it configured to automatically generate a report after every scan, regardless of whether threats were found, it does not appear to have done so. At least, if there's a report file somewhere, it is not in the "Reports" tab of the program, or in the program subdirectories on my hard drive, or in my root directory. Most of the detections were cookies, but there was one low-risk restart counter in my Tools subdirectory, plus two high-risk Trojans, Trojan.Agent.anr and Backdoor.Backattack.15. The two Trojans were found in the OTMoveIt! folder, and are the two files we moved out of my C:\winnt\system\32 folder yesterday. The cookies were deleted by A-S, and everything else was quarantined.

Per your instructions, I then ran ComboFix.exe and HJT (as xyz.bat) again, and attach their respective log files below. As I reported yesterday, my original popup problem appears to be totally fixed at this point, and as far as I can tell, my computer seems to be running fine.

Please let me know what else you believe I need to do. I must say that I am very impressed by your ability to diagnose my out-of-date InCD problem, which I would NEVER have thought to check! :-) And, of course, thanks again for all your help and patience!

ComboFix Log:

"Uralten" - 06/05/2007 10:36:43 Service Pack 4
ComboFix 07-06-4 - Running from: "C:\Programs\Utils\Virus\Vundo\ComboFix\"

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

2007-06-05 10:30 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_548.dat
2007-06-05 10:29 <DIR> d-------- C:\Temp\7.tmp
2007-06-05 10:17 <DIR> d-------- C:\Temp\6.tmp
2007-06-05 09:49 <DIR> d-------- C:\Temp\5.tmp
2007-06-05 09:10 <DIR> d-------- C:\Temp\4.tmp
2007-06-04 18:46 <DIR> d-------- C:\Temp\3.tmp
2007-06-04 18:35 10,872 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-06-04 10:20 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-01 11:22 <DIR> d-------- C:\Program Files\Registrar Lite
2007-05-24 20:32 69,824 --a------ C:\WINNT\system32\drivers\LxrJD31d.sys
2007-05-24 20:32 61,440 --a------ C:\WINNT\system32\LxrJD20Sat.dll
2007-05-24 20:32 53,248 --a------ C:\WINNT\system32\LxrJD31s.exe
2007-05-24 20:32 249,856 --a------ C:\WINNT\system32\LxrJD31.dll
2007-05-24 20:32 167,936 --a------ C:\WINNT\system32\LxrJD31c.exe
2007-05-24 20:32 146,432 --a------ C:\WINNT\system32\LxrJD31p.exe
2007-05-10 09:36 <DIR> d-------- C:\WINNT\nview
2007-05-10 09:31 176,128 --a------ C:\WINNT\system32\nvudisp.exe
2007-05-10 09:18 208,896 --a------ C:\WINNT\system32\NVUNINST.EXE
2007-05-09 09:55 1,632 --a------ C:\WINNT\system32\d3d8caps.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-23 23:18:56 1,744 ----a-w C:\WINNT\system32\d3d9caps.dat
2007-04-09 14:46:06 -------- d-----w C:\Program Files\VIA Technologies, Inc
2007-04-05 14:48:36 4,212 ---h--w C:\WINNT\system32\zllictbl.dat
2007-04-05 07:17:40 2,854,400 ----a-w C:\WINNT\system32\msi.dll
2007-03-13 09:44:50 245,520 ----a-w C:\WINNT\system32\WINSRV.DLL
2007-03-09 05:02:00 75,512 ----a-w C:\WINNT\zllsputility.exe
2007-03-09 05:01:42 1,087,216 ----a-w C:\WINNT\system32\zpeng24.dll
2007-03-06 11:17:48 381,200 ----a-w C:\WINNT\system32\USER32.DLL
2007-03-06 11:17:46 38,160 ----a-w C:\WINNT\system32\mf3216.dll
2007-03-06 11:17:46 235,280 ----a-w C:\WINNT\system32\GDI32.DLL
2007-03-06 06:12:22 1,641,936 ----a-w C:\WINNT\system32\WIN32K.SYS

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [12/18/06 04:16a]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Programs\Utils\SpyBot\SDHelper.dll [05/31/05 01:04a]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll [12/22/06 04:02p]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [12/17/03 09:50a C:\WINNT\LOGI_MWX.EXE]
"Tweak UI"="TWEAKUI.CPL" [11/08/96 02:33p C:\WINNT\system32\TWEAKUI.CPL]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [12/04/05 04:38p]
"Synchronization Manager"="mobsync.exe" [06/19/03 01:05p C:\WINNT\system32\mobsync.exe]
"ZoneAlarm Client"="C:\Programs\Utils\ZoneAlarm\zlclient.exe" [03/09/07 12:02a]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [05/30/07 07:30a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\WEATHER.exe" [01/06/06 09:57a]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [11/07/06 09:29a]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=00000000
"NoStartBanner"=01000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [05/30/07 07:29a]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvMediaCenter"=RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-04 15:42:02 C:\WINNT\tasks\AppleSoftwareUpdate.job
2007-06-05 00:05:26 C:\WINNT\tasks\Daily.job
2007-06-05 00:15:14 C:\WINNT\tasks\Outlook.job
2007-05-30 00:30:38 C:\WINNT\tasks\System State.job
2007-05-31 22:25:30 C:\WINNT\tasks\CD-RW Backup.job
2007-05-30 00:45:12 C:\WINNT\tasks\Identities.job
2007-06-01 18:00:14 C:\WINNT\tasks\McQcTask.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-05 10:37:56
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Files hidden from API:
C:\WINNT\?
C:\WINNT\?
C:\WINNT\E
C:\WINNT\?

Completion time: 06/05/2007 10:39:25

--- E O F ---

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:29 PM, on 6/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Programs\VPN\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\System\Mouse\MouseWare\system\em_exec.exe
C:\Programs\Utils\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\AIM6\aim6.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Programs\Utils\FileEx\FileEx.exe
C:\Programs\Utils\Corral\iconcorl.exe
C:\Programs\Utils\KeyText\KeyText.exe
C:\Programs\Utils\Moon\MoonIcon.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Programs\Utils\TrayDay\TrayDay.exe
C:\Programs\Utils\PassKeep\PassKeep.exe
C:\Lotus\organize\org6.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Programs\Utils\Virus\HiJack\xyz.bat

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\Utils\SpyBot\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programs\Utils\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Outlook Express.lnk = C:\Program Files\Outlook Express\msimn.exe
O4 - Global Startup: File-Ex.lnk = C:\Programs\Utils\FileEx\FileEx.exe
O4 - Global Startup: Icon Corral.lnk = C:\Programs\Utils\Corral\iconcorl.exe
O4 - Global Startup: KeyText.lnk = C:\Programs\Utils\KeyText\KeyText.exe
O4 - Global Startup: Moon Phase Icon.lnk = C:\Programs\Utils\Moon\MoonIcon.exe
O4 - Global Startup: Password Keeper.lnk = C:\Programs\Utils\PassKeep\PassKeep.exe
O4 - Global Startup: TrayDay.lnk = C:\Programs\Utils\TrayDay\TrayDay.exe
O4 - Global Startup: OnTime.lnk = C:\Programs\OTW\OTWIN.EXE
O4 - Global Startup: VPN Client.lnk = C:\Programs\VPN\ipsecdialer.exe
O4 - Global Startup: Organizer.lnk = C:\Lotus\organize\org6.exe
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programs\VPN\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 June 2007 - 01:52 PM

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

***************

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
VundoFix.exe
Combofix
OTMoveIt

C:\VundoFix Backups
C:\QooBox
C:\OTMoveIt

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image

#9 Uralten

Uralten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 05 June 2007 - 03:31 PM

Hey, Richie, I think we're finally done! :thumbsup:

The ONLY trace I can still find of this problem on my computer is in the Tools/System-Startup section of SpyBot, where the four "new" entries that appeared when I first got infected are still showing up. They are the comdb.dll, hggebaa.dll, nnlkj.dll, and WINotify.dll entries described in my first post, all still being shown as loading from system.ini. None of the check-boxes for them is checked (which means they would be disabled if they really existed), and none of the files is in the locations listed, but when I highlight those entries and ask SpyBot to delete them, it appears to do so, but then they're back the next time I open the System-Startup page. Taking a fresh "snapshot" of the start-up items also has no effect in getting rid of them.

Should I be worried about these entries at all, or just leave them unchecked and ignore them? They make me a little nervous because they are coming from SOMEWHERE, and even when my machine was infected, there were NO entries in system.ini that related to these files, which were actually in other locations. That makes me think there might still be some trace of this experience in my registry or something.

Finally, in reading the various logs I've been posting, I see this entry: "O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)." I do not remember ever installing any program called WinPcap, and it appears it would not be working anyway, since the ini file is missing. Should I uninstall this program?

You have been SUPER helpful in solving this problem, which I would never have figured out on my own. I see there is a PayPal contribution button on the site. Although I doubt you'll get any direct benefit from it, I'll certainly make a contribution once we declare this topic closed!

Next, I guess I should go to the Networking section and see if somebody can help me with all those "A duplicate name has been detected on the TCP network" messages I'm seeing in Event Viewer! :flowers:

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 June 2007 - 06:14 PM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Posted Image
Posted Image

#11 Uralten

Uralten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 05 June 2007 - 11:47 PM

Hey, Richie, I think everything went well this round. :thumbsup:

I ran SuperAntiSpyware, and it found seven cookies and nine registry entries, all of which it appeared to fix. The (short) log is as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/05/2007 at 08:49 PM

Application Version : 3.8.1002

Core Rules Database Version : 3249
Trace Rules Database Version: 1260

Scan type : Complete Scan
Total Scan Time : 00:30:08

Memory items scanned : 498
Memory threats detected : 0
Registry items scanned : 4309
Registry threats detected : 9
File items scanned : 34322
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\Uralten\Cookies\uralten@doubleclick[2].txt
C:\Documents and Settings\Uralten\Cookies\uralten@atwola[1].txt
C:\Documents and Settings\Uralten\Cookies\uralten@revsci[2].txt
C:\Documents and Settings\Uralten\Cookies\uralten@atdmt[1].txt
C:\Documents and Settings\Uralten\Cookies\uralten[1].txt
C:\Documents and Settings\Uralten\Cookies\uralten@advertising[1].txt
C:\Documents and Settings\Uralten\Cookies\uralten@rotator.adjuggler[2].txt

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

The program then asked me to reboot, which I did (from regular Windows back into regular Windows), and I saved the log file at that time. The program didn't automatically restart or do any other work after the reboot.

Next, I booted into Safe Mode and ran DrWeb. It found ten items, all of which it deleted. The (short) log is as follows:

GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Deleted.;
comdb.dll.bad;C:\Programs\Utils\Virus\Vundo\VundoFix\VundoFix Backups;Trojan.Virtumod;Deleted.;
fiqqmibr.dll.bad;C:\Programs\Utils\Virus\Vundo\VundoFix\VundoFix Backups;Trojan.Virtumod;Deleted.;
jkblhvcs.dll.bad;C:\Programs\Utils\Virus\Vundo\VundoFix\VundoFix Backups;Trojan.Virtumod;Deleted.;
nnlkj.dll.bad;C:\Programs\Utils\Virus\Vundo\VundoFix\VundoFix Backups;Trojan.Virtumod;Deleted.;
vtstu.dll.bad;C:\Programs\Utils\Virus\Vundo\VundoFix\VundoFix Backups;Trojan.Virtumod;Deleted.;
xcjdlmen.dll.bad;C:\Programs\Utils\Virus\Vundo\VundoFix\VundoFix Backups;Trojan.Virtumod;Deleted.;
wxkpaemi.exe.vir;C:\Programs\Utils\Virus\QooBox\Quarantine\C\WINNT\system32;Trojan.Virtumod;Deleted.;
DCOMbob.exe;C:\Backup\Software\Download;Exploit.DCom.32;Deleted.;
Stress.exe;C:\Backup\Software\Download;Joke.Puncher;Deleted.;

I think these results require a little explanation, as follows. The GTDownAO_106.ocx file is one I've never seen in any prior scan. The next seven (from comdb.dll.bad through wxkpaemi.exe.vir) are the original Vundo files that caused my infection, which you instructed me to delete in an earlier step today. Unfortunately, while doing the deletions, I forgot that I'd tried to clean up some of the stuff that was getting scattered all over my hard drive by our disinfection efforts by setting up a new "Virus" subdirectory with separate subdirectories for all the various cleaning programs we've been using. As you can see, all of these copies were disabled (by having "bad" or "vir" extensions added to them before DrWeb found them, but at least they're all deleted now! I have also now deleted from this subdirectory all the stuff you told me to delete earlier today. The last two files are not viruses or malware. DCOMbob.exe is a test program I downloaded from http://grc.com right after I got broadband access and was testing to make sure my computer was secure. Stress.exe is just a little game that comes up as a PUP (potentially unwanted program), but has never caused any problems in the four or five years it has been on my computer.

As I said in my last post, everything seems to be working fine now, but the symptom that caused us to do this last round of scanning...those four non-delete-able entries at the bottom of SpyBot's "System Startup" page for the four system.ini-loading files that were causing my Vundo infection...are still there, and are still non-delete-able. I can click them and click delete, and they appear to go away, but then they're there again the next time I open that page. :flowers:

And that's where I think I'll stop for the day, at close to midnight!

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 06 June 2007 - 06:27 AM

They are entries for combd (loading from c:\winnt\inf\combd.dll), hggebaa (loading from hggebaa.dll), and nnlkj (loading from C:\winnt\system32\nnlkj.dll).

Those files were all deleted by Vundofix.
Uninstall Spybot via Start/Control Panel/Add or Remove Programs,then restart your pc.

**************************************

Download CCleaner 1.40.520:
http://www.filehippo.com/download_ccleaner/
While installing make sure you uncheck the option to install 'Yahoo Toolbar'.
Then run CCleaner using it's default configuration.
Make sure you scan and clean using all the three following options:
Windows
Applications
Issues

You might want to read through this CCleaner tour first:
http://ccleaner.com/help/tour/

**************************************

Download/reinstall Spybot S&D:
http://www.safer-networking.org/en/download/

Let me know whats happening now.
Posted Image
Posted Image

#13 Uralten

Uralten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 06 June 2007 - 11:15 AM

Well, if nothing else, at least this problem (if it really IS a problem) is persistent!

Per your instructions, I uninstalled SpyBot from Add/Remove Programs, then rebooted, then manually deleted the entire subdirectory where it was formerly installed, which had a few straggler files left in it. I then installed CCleaner and ran it per your instructions. It (predictably) found things to delete, but none of them seemed relevant to the current problem...lots of things like registry left-overs from Quicken versions two or three generations old, and that sort of thing. Everything it detected was deleted.

I then downloaded a fresh copy of SpyBot, installed it, fully updated it, ran a scan, and enabled the Immunize feature. When I went to look at the "System Startup" page, those last four entries were STILL THERE, and (as before) they cannot be deleted. :thumbsup:

I'm beginning to think we're at the point of diminishing returns. The files referred to in those last four entries are NOT in the locations specified, or anywhere else on my computer that I can find, so the ONLY problem we have is with the spurious entries in SpyBot, not with any active infection of my computer, which seems to be working now like it did before all this happened. If you're interested in trying to track down this last glitch, perhaps as a learning experience, I'll be more than happy to work with you on it, but I feel guilty for taking up so much of your time on something that, as far as I can tell, really isn't causing ANY problem. Let me know what you think we should do at this point. Thanks!!

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 06 June 2007 - 01:44 PM

Find and delete:
C:\Documents and Settings\userprofile\DoctorWeb\Quarantine<=Delete everything inside this folder,then make sure you empty the recycle bin.

********************************

Download/install Agent Ransack:
http://www.mythicsoft.com/agentransack/download.aspx

Launch Agent Ransack,in the 'File' space at the top type comdb.dll then press the 'Start search' button.
If anything is found,take note of the exact path to that file.
Then do exactly the same with:
hggebaa.dll
nnlkj.dll
WINotify.dll

Posted Image
Posted Image

#15 Uralten

Uralten
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 06 June 2007 - 02:19 PM

Hey, Richie, I found the C:\Documents and Settings\userprofile\DoctorWeb subdirectory, but it did not even HAVE a "quarantine" subdirectory (or any other subdirectory) under it, so there was nothing to delete, or to empty out of the recycle bin. The ONLY thing in the DoctorWeb directory was a CureIt.Log file from last night's scan. That is the only DoctorWeb subdirectory on my computer.

I then installed and ran Agent Ransack four times, searching both local hard drives for the four files. None was found. I then repeated the search with a * at the beginning and end of each of the four file names, to make sure nothing even CONTAINING those names was lurking somewhere. Nothing was found.

I'm about 99.999999% certain they're really GONE from EVERYWHERE but the SpyBot "System Startup" page!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users