Hjt Log...[INACTIVE]


Recommended Posts

i turn on the computer and like 4 command promps appear, an error message abuot 16 bit ms-dos subsystem, and a rundll error saying error loading 0oqw0ct0.dll

any thing in here malware i can get rid of or fix what is happening?(or things i dont need)

Logfile of HijackThis v1.99.1

Scan saved at 7:39:27 PM, on 2/8/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\inet20010\winlogon.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ASUS\Probe\AsusProb.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Common Files\AOL\1139095246\ee\AOLSoftware.exe

C:\WINDOWS\system32\paytime.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ntvdm.exe

c:\program files\common files\aol\1139095246\ee\aim6.exe

C:\WINDOWS\system32\wpabaln.exe

C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINDOWS\inet20010\winlogon.exe

O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139095246\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [i downloaded pirated Software from P2P] C:\WINDOWS\system32\Battlefield2 .exe

O4 - HKLM\..\Run: [system service79] C:\WINDOWS\\\etb\\pokapoka79.exe

O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe

O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exe

O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s

O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20010\winlogon.exe

O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156

O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"

O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban5.exe

O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm

O4 - HKCU\..\Run: [klop] C:\WINDOWS\25.tmp

O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe

O4 - HKCU\..\Run: [rkfu] C:\PROGRA~1\COMMON~1\rkfu\rkfum.exe

O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe

O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20010\winlogon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - AppInit_DLLs: repairs302972994.dll

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll

O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)

O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

Link to post
Share on other sites

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe

C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

Link to post
Share on other sites
You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe

C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

L2MFIX find log 010406

These are the registry keys present

********************************************************************************

**

Winlogon/notify:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

Link to post
Share on other sites

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

Link to post
Share on other sites
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the desktop icons dont dissappear or the log does not pop up then in the l2mfix folder double click the second.bat file to continue with the fix.

L2mfix 010406

Creating Account.

The command completed successfully.

Adding Administrative privleges.

The command completed successfully.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

Running From:

C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 928 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 1024 'winlogon.exe'

Killing PID 1024 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 1372 'explorer.exe'

Killing PID 1372 'explorer.exe'

Killing PID 1372 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Error, Cannot find a process with an image name of rundll32.exe

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]

"DllName"=hex(2):68,00,70,00,70,00,72,00,69,00,6e,00,74,00,78,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Startup"="hpprintx"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"nk453id"="[20882906427633-NG-Sean]"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

The following are the files found:

****************************************************************************

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\Implemented Categories]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]

@=""

[HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}\InprocServer32]

@="C:\\WINDOWS\\system32\\ivssuba.dll"

"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{AC3CA426-F420-45AE-89D9-0C2858D56B51}"=-

[-HKEY_CLASSES_ROOT\CLSID\{AC3CA426-F420-45AE-89D9-0C2858D56B51}]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

Zipping up files for submission:

zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)

adding: backregs/AC3CA426-F420-45AE-89D9-0C2858D56B51.reg (212 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

Link to post
Share on other sites
Hi frank. Please post a new HJT log.

Logfile of HijackThis v1.99.1

Scan saved at 10:31:56 PM, on 2/8/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wpabaln.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Grisoft\AVG Free\avgcc.exe

C:\Program Files\Grisoft\AVG Free\avgwb.dat

C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm

O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm

O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe

O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - AppInit_DLLs: repairs302972994.dll

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll

O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)

O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

Link to post
Share on other sites
Hi frank. Looks like it didnt get it. Try running step 2 again from the l2mfix directions. If it doesn't catch it this second time, we can use a dfferent tool. I'm signing off now for the night. Catcha ya tomorrow.

Good luck :thumbsup:

L2mfix 010406

Creating Account.

The command completed successfully.

Adding Administrative privleges.

The command completed successfully.

Checking for L2MFix account(0=no 1=yes):

1

Granting SeDebugPrivilege to L2MFIX ... successful

Running From:

C:\WINDOWS\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 928 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 1024 'winlogon.exe'

Killing PID 1024 'winlogon.exe'

Killing PID 1024 'winlogon.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Killing PID 320 'explorer.exe'

Killing PID 320 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03

Copyright© 2002-2003 [email protected]

Error, Cannot find a process with an image name of rundll32.exe

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:

****************************************************************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]

"DllName"=hex(2):68,00,70,00,70,00,72,00,69,00,6e,00,74,00,78,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Startup"="hpprintx"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"nk453id"="[20882906427633-NG-Sean]"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

The following are the files found:

****************************************************************************

Registry Entries that were Deleted:

Please verify that the listing looks ok.

If there was something deleted wrongly there are backups in the backreg folder.

****************************************************************************

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

****************************************************************************

Desktop.ini Contents:

****************************************************************************

****************************************************************************

Checking for L2MFix account(0=no 1=yes):

0

Zipping up files for submission:

zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)

adding: backregs/AC3CA426-F420-45AE-89D9-0C2858D56B51.reg (164 bytes security) (deflated 70%)

adding: backregs/notibac.reg (164 bytes security) (deflated 87%)

adding: backregs/shell.reg (164 bytes security) (deflated 74%)

HERE IS THE HJT LOG(NEW)-------------------------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 9:32:18 PM, on 2/9/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ASUS\Probe\AsusProb.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wpabaln.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm

O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm

O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - AppInit_DLLs: repairs302972994.dll

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll

O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)

O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\system32\opmnjckd.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

Link to post
Share on other sites

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:

    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.

    [*]Click Sweep Now on the left side.

    [*]Click the Start button.

    [*]When it's done scanning, click the Next button.

    [*]Make sure everything has a check next to it, then click the Next button.

    [*]It will remove all of the items found.

    [*]Click Session Log in the upper right corner, copy everything in that window.

    [*]Click the Summary tab and click Finish.

    [*]Paste the contents of the session log you copied into your next reply, along with a new HJT log.

Link to post
Share on other sites
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:

    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.

    [*]Click Sweep Now on the left side.

    [*]Click the Start button.

    [*]When it's done scanning, click the Next button.

    [*]Make sure everything has a check next to it, then click the Next button.

    [*]It will remove all of the items found.

    [*]Click Session Log in the upper right corner, copy everything in that window.

    [*]Click the Summary tab and click Finish.

    [*]Paste the contents of the session log you copied into your next reply, along with a new HJT log.

********

9:41 PM: | Start of Session, Thursday, February 09, 2006 |

9:41 PM: Spy Sweeper started

9:41 PM: Sweep initiated using definitions version 612

9:42 PM: Starting Memory Sweep

9:44 PM: Memory Sweep Complete, Elapsed Time: 00:01:58

9:44 PM: Starting Registry Sweep

9:44 PM: Found Adware: surfsidekick

9:44 PM: HKLM\software\microsoft\windows nt\currentversion\windows\ || appinit_dlls (ID = 819064)

9:44 PM: Found Trojan Horse: spamrelayer_alpiok

9:44 PM: HKCR\clsid\{636821fc-6f5c-2f1b-b164-e67214f678e2}\ (3 subtraces) (ID = 942353)

9:44 PM: HKLM\software\classes\clsid\{636821fc-6f5c-2f1b-b164-e67214f678e2}\ (3 subtraces) (ID = 942360)

9:44 PM: HKLM\software\microsoft\windows\currentversion\shellserviceobjectdelayload\ || systray.exgl (ID = 942368)

9:44 PM: Found Adware: cws_secure32.html hijack

9:44 PM: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 946025)

9:44 PM: Found Adware: command

9:44 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)

9:44 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)

9:44 PM: Found Adware: quicklink search toolbar

9:44 PM: HKCR\permeation.permeater\ (3 subtraces) (ID = 1133968)

9:44 PM: HKCR\permeation.permeater.1\ (3 subtraces) (ID = 1133972)

9:44 PM: HKCR\permeation.trecker\ (3 subtraces) (ID = 1133976)

9:44 PM: HKCR\permeation.trecker.1\ (3 subtraces) (ID = 1133980)

9:44 PM: HKCR\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1133998)

9:44 PM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134093)

9:44 PM: HKLM\software\classes\permeation.permeater\ (3 subtraces) (ID = 1134157)

9:44 PM: HKLM\software\classes\permeation.permeater.1\ (3 subtraces) (ID = 1134161)

9:44 PM: HKLM\software\classes\permeation.trecker\ (3 subtraces) (ID = 1134165)

9:44 PM: HKLM\software\classes\permeation.trecker.1\ (3 subtraces) (ID = 1134169)

9:44 PM: HKLM\software\classes\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1134187)

9:44 PM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134251)

9:44 PM: Found Adware: spysheriff

9:44 PM: HKLM\software\microsoft\internet explorer\main\ || start page (ID = 1140862)

9:44 PM: Found Trojan Horse: infected mushrooms

9:44 PM: HKU\S-1-5-21-220523388-1220945662-725345543-1003\software\microsoft\windows\currentversion\run\ || windowsupdatent (ID = 1124765)

9:44 PM: Registry Sweep Complete, Elapsed Time:00:00:08

9:44 PM: Starting Cookie Sweep

9:44 PM: Found Spy Cookie: atwola cookie

9:44 PM: sean@atwola[1].txt (ID = 2255)

9:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00

9:44 PM: Starting File Sweep

9:44 PM: Found Trojan Horse: komforochka smtp relay

9:44 PM: c:\windows\inet20010 (1 subtraces) (ID = -2147459835)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005901.exe". Access is denied

9:44 PM: c:\program files\jalmp (3 subtraces) (ID = -2147459072)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005995.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0009013.exe". Access is denied

9:44 PM: a0009113.exe (ID = 202812)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005836.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005997.exe". Access is denied

9:44 PM: a0005860.exe (ID = 238236)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005876.exe". Access is denied

9:44 PM: Found Trojan Horse: trojan-downloader-dh

9:44 PM: a0005884.exe (ID = 208497)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005896.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004786.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp41\a0004390.exe". Access is denied

9:44 PM: a0005953.exe (ID = 212830)

9:44 PM: a0005952.exe (ID = 212831)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005986.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004787.exe". Access is denied

9:44 PM: Found Adware: targetsaver

9:44 PM: class-barrel (ID = 78229)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005984.dll". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006097.exe". Access is denied

9:44 PM: a0009221.dll (ID = 239855)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005811.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005813.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005815.exe". Access is denied

9:44 PM: a0006053.exe (ID = 212830)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008053.exe". Access is denied

9:44 PM: a0006052.exe (ID = 212831)

9:44 PM: a0009115.exe (ID = 240726)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008054.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005959.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008055.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005885.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006086.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006084.dll". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006032.exe". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0008012.dll". Access is denied

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004789.exe". Access is denied

9:44 PM: a0009106.dll (ID = 220754)

9:44 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp36\a0003998.exe". Access is denied

9:45 PM: a0005955.exe (ID = 212828)

9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005883.dll". Access is denied

9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005934.exe". Access is denied

9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005998.exe". Access is denied

9:45 PM: Found Adware: spysheriff fakealert

9:45 PM: secure32.html (ID = 184319)

9:45 PM: Found Adware: coolwebsearch (cws)

9:45 PM: a0009107.exe (ID = 239915)

9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005903.exe". Access is denied

9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005902.exe". Access is denied

9:45 PM: a0005947.exe (ID = 237448)

9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005900.exe". Access is denied

9:45 PM: Found Trojan Horse: trojan-backdoor-haxdoor

9:45 PM: a0005895.sys (ID = 238244)

9:45 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005931.exe". Access is denied

9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006059.exe". Access is denied

9:46 PM: vocabulary (ID = 78283)

9:46 PM: a0006055.exe (ID = 212828)

9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005891.exe". Access is denied

9:46 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005899.exe". Access is denied

9:47 PM: a0005847.exe (ID = 237448)

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005834.exe". Access is denied

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005969.exe". Access is denied

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006098.exe". Access is denied

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006029.exe". Access is denied

9:47 PM: a0006047.exe (ID = 237448)

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005869.exe". Access is denied

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005991.exe". Access is denied

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006091.exe". Access is denied

9:47 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005881.exe". Access is denied

9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006000.exe". Access is denied

9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005897.dll". Access is denied

9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005996.dll". Access is denied

9:48 PM: Found Adware: wfgtech

9:48 PM: a0009111.exe (ID = 203674)

9:48 PM: Found Adware: ezula ilookup

9:48 PM: a0004016.src (ID = 111060)

9:48 PM: a0005985.exe (ID = 208497)

9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006100.exe". Access is denied

9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006095.exe". Access is denied

9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006069.exe". Access is denied

9:48 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006096.dll". Access is denied

9:48 PM: a0006085.exe (ID = 208497)

9:49 PM: dh9013.exe (ID = 208497)

9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005898.exe". Access is denied

9:49 PM: a0005855.exe (ID = 212828)

9:49 PM: a0005872.vbs (ID = 231442)

9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005814.exe". Access is denied

9:49 PM: a0006042.dll (ID = 189)

9:49 PM: a0005973.exe (ID = 231443)

9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005933.exe". Access is denied

9:49 PM: secure32.html (ID = 184319)

9:49 PM: a0005951.config (ID = 212361)

9:49 PM: a0005944.exe (ID = 242377)

9:49 PM: a0005948.dll (ID = 238167)

9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006031.exe". Access is denied

9:49 PM: a0005943.dll (ID = 189)

9:49 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0004799.exe". Access is denied

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006002.exe". Access is denied

9:50 PM: Found Adware: clkoptimizer

9:50 PM: a0009110.exe (ID = 208542)

9:50 PM: a0005848.dll (ID = 238167)

9:50 PM: a0005949.cfg (ID = 208796)

9:50 PM: a0006049.cfg (ID = 208796)

9:50 PM: Found Adware: look2me

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0006001.exe". Access is denied

9:50 PM: a0006017.dll (ID = 159)

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005999.exe". Access is denied

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005982.exe". Access is denied

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005859.exe". Access is denied

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006077.exe". Access is denied

9:50 PM: a0009118.sys (ID = 238244)

9:50 PM: a0005972.vbs (ID = 231442)

9:50 PM: a0005851.config (ID = 212361)

9:50 PM: a0005853.exe (ID = 212830)

9:50 PM: a0005852.exe (ID = 212831)

9:50 PM: a0005843.exe (ID = 242377)

9:50 PM: a0005960.exe (ID = 238236)

9:50 PM: a0006072.vbs (ID = 231442)

9:50 PM: a0006073.exe (ID = 231443)

9:50 PM: a0005849.cfg (ID = 208796)

9:50 PM: a0006048.dll (ID = 238167)

9:50 PM: a0006043.exe (ID = 242377)

9:50 PM: Found Adware: elitebar

9:50 PM: a0008076.dll (ID = 198437)

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp36\a0003995.exe". Access is denied

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp48\a0005837.exe". Access is denied

9:50 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp47\a0005812.exe". Access is denied

9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006102.exe". Access is denied

9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006101.exe". Access is denied

9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp49\a0005977.exe". Access is denied

9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006099.exe". Access is denied

9:51 PM: Warning: Failed to open file "c:\system volume information\_restore{490691a7-baa0-40c0-88b9-0f2f99db2e60}\rp50\a0006082.exe". Access is denied

9:51 PM: a0006060.exe (ID = 238236)

9:51 PM: a0006051.config (ID = 212361)

9:52 PM: Found Adware: findthewebsiteyouneed hijacker

9:52 PM: a0009125.exe (ID = 242088)

9:52 PM: a0009230.exe (ID = 239916)

9:52 PM: Found Adware: dollarrevenue

9:52 PM: a0009109.exe (ID = 241756)

9:52 PM: Found Trojan Horse: trojan-backdoor-us15info

9:52 PM: a0009116.exe (ID = 239949)

9:52 PM: a0009124.exe (ID = 241762)

9:52 PM: a0004803.lnk (ID = 60599)

9:52 PM: a0004804.lnk (ID = 60601)

9:52 PM: a0004012.lnk (ID = 60599)

9:52 PM: a0004013.lnk (ID = 60601)

9:52 PM: a0005974.vbs (ID = 185675)

9:52 PM: a0005873.vbs (ID = 185675)

9:52 PM: a0005857.bat (ID = 212353)

9:52 PM: a0005854.config (ID = 212358)

9:52 PM: a0005957.bat (ID = 212353)

9:52 PM: a0005954.config (ID = 212358)

9:52 PM: a0006074.vbs (ID = 185675)

9:52 PM: a0006057.bat (ID = 212353)

9:52 PM: a0006054.config (ID = 212358)

9:58 PM: Found System Monitor: potentially rootkit-masked files

9:58 PM: sysbus32.sys (ID = 0)

10:03 PM: Sweep Canceled

10:04 PM: File Sweep Complete, Elapsed Time: 00:19:57

10:04 PM: Traces Found: 183

10:05 PM: Removal process initiated

10:05 PM: Quarantining All Traces: clkoptimizer

10:05 PM: Quarantining All Traces: elitebar

10:05 PM: Quarantining All Traces: infected mushrooms

10:05 PM: Quarantining All Traces: komforochka smtp relay

10:05 PM: Quarantining All Traces: look2me

10:05 PM: Quarantining All Traces: potentially rootkit-masked files

10:05 PM: potentially rootkit-masked files is in use. It will be removed on reboot.

10:05 PM: sysbus32.sys is in use. It will be removed on reboot.

10:05 PM: Quarantining All Traces: spamrelayer_alpiok

10:05 PM: Quarantining All Traces: spysheriff fakealert

10:05 PM: Quarantining All Traces: trojan-backdoor-haxdoor

10:05 PM: Quarantining All Traces: trojan-backdoor-us15info

10:05 PM: Quarantining All Traces: coolwebsearch (cws)

10:05 PM: Quarantining All Traces: dollarrevenue

10:05 PM: Quarantining All Traces: quicklink search toolbar

10:05 PM: Quarantining All Traces: spysheriff

10:05 PM: Quarantining All Traces: surfsidekick

10:05 PM: Quarantining All Traces: trojan-downloader-dh

10:05 PM: Quarantining All Traces: command

10:05 PM: Quarantining All Traces: cws_secure32.html hijack

10:05 PM: Quarantining All Traces: ezula ilookup

10:05 PM: Quarantining All Traces: findthewebsiteyouneed hijacker

10:05 PM: Quarantining All Traces: targetsaver

10:05 PM: Quarantining All Traces: wfgtech

10:05 PM: Quarantining All Traces: atwola cookie

10:06 PM: Removal process completed. Elapsed time 00:01:05

********

9:40 PM: | Start of Session, Thursday, February 09, 2006 |

9:40 PM: Spy Sweeper started

9:41 PM: Your spyware definitions have been updated.

9:41 PM: | End of Session, Thursday, February 09, 2006 |

HJT LOG________________________________

Logfile of HijackThis v1.99.1

Scan saved at 10:07:39 PM, on 2/9/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\mozilla.org\Mozilla\Mozilla.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wpabaln.exe

C:\Program Files\Common Files\AOL\1139095246\ee\aolsoftware.exe

c:\program files\common files\aol\1139095246\ee\aim6.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\WINDOWS\ALCFDRTM.EXE

C:\Documents and Settings\Sean\My Documents\malware removal\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [6104308] tskmgr.exe /ibpm

O4 - HKLM\..\Run: [0oqw0ct0.dll] RUNDLL32.EXE 0oqw0ct0.dll,b 4967156

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [6104308] tskmgr.exe /ibpm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\r0r60a9sed.dll

O20 - Winlogon Notify: hpprintx - hpprintx.dll (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Link to post
Share on other sites

Hi,

Matt is away, so I'll take over for him.

Lets try the manual fix.

  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

Danny :thumbsup:

Link to post
Share on other sites
Hi,

Matt is away, so I'll take over for him.

Lets try the manual fix.

  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.

Danny :thumbsup:

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Sean\My Documents\My Downloads\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

02/07/2006 10:51 PM 234,272 ivssuba.dll

02/07/2006 10:51 PM 234,962 r0r60a9sed.dll

02/07/2006 10:33 PM 234,272 kgdsf.dll

02/07/2006 10:33 PM 234,272 ibdetect.dll

02/05/2006 10:56 AM <DIR> dllcache

02/04/2006 03:56 AM <DIR> Microsoft

4 File(s) 937,778 bytes

2 Dir(s) 45,149,118,464 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

02/05/2006 10:56 AM <DIR> dllcache

02/04/2006 03:51 AM 488 logonui.exe.manifest

02/04/2006 03:51 AM 488 WindowsLogon.manifest

02/04/2006 03:51 AM 749 nwc.cpl.manifest

02/04/2006 03:51 AM 749 sapi.cpl.manifest

02/04/2006 03:51 AM 749 ncpa.cpl.manifest

02/04/2006 03:51 AM 749 wuaucpl.cpl.manifest

02/04/2006 03:51 AM 749 cdplayer.exe.manifest

7 File(s) 4,721 bytes

1 Dir(s) 45,149,118,464 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

08/10/2004 06:00 AM 2,577 CONFIG.TMP

1 File(s) 2,577 bytes

0 Dir(s) 45,149,114,368 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINDOWS\\system32\\r0r60a9sed.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]

"DllName"=hex(2):68,70,70,72,69,6e,74,78,2e,64,6c,6c,00

"Startup"="hpprintx"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"nk453id"="[20882906427633-NG-Sean]"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\

cdplay~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K

ibdetect.dll Tue Feb 7 2006 10:33:12p ..S.R 234,272 228.78 K

ivssuba.dll Tue Feb 7 2006 10:51:40p ..S.R 234,272 228.78 K

kgdsf.dll Tue Feb 7 2006 10:33:20p ..S.R 234,272 228.78 K

logonu~1.man Sat Feb 4 2006 3:51:08a A..HR 488 0.48 K

ncpacp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K

nwccpl~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K

r0r60a~1.dll Tue Feb 7 2006 10:51:40p ..S.R 234,962 229.45 K

sapicp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K

window~1.man Sat Feb 4 2006 3:51:08a A..HR 488 0.48 K

wuaucp~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K

11 items found: 11 files, 0 directories.

Total of file sizes: 942,499 bytes 920.41 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack

C:\WINDOWS\system32\MRT.exe: (ASPack)

C:\WINDOWS\system32\MRT.exe: (AsPack2k)

C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)

C:\WINDOWS\system32\MRT.exe: ASPack2000

C:\WINDOWS\system32\MRT.exe: ASPack 1.61

C:\WINDOWS\system32\MRT.exe: ASPack 1.084

C:\WINDOWS\system32\MRT.exe: ASPack 1.083

C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b

C:\WINDOWS\system32\MRT.exe: ASPack 1.07b

C:\WINDOWS\system32\MRT.exe: ASPack 1.05b

C:\WINDOWS\system32\MRT.exe: ASPack 1.02

C:\WINDOWS\system32\MRT.exe: ASPACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE"

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"6104308"="tskmgr.exe /ibpm"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"

"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\

65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

Link to post
Share on other sites

Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Click on the "All Files" button.

  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\System32\ivssuba.dll
    C:\WINDOWS\System32\r0r60a9sed.dll
    C:\WINDOWS\System32\kgdsf.dll
    C:\WINDOWS\System32\ibdetect.dll
    C:\WINDOWS\SYSTEM32\ibdetect.dll
    C:\WINDOWS\SYSTEM32\ivssuba.dll
    C:\WINDOWS\SYSTEM32\kgdsf.dll
    C:\WINDOWS\SYSTEM32\logonu~1.man
    C:\WINDOWS\SYSTEM32\ncpacp~1.man
    C:\WINDOWS\SYSTEM32\nwccpl~1.man
    C:\WINDOWS\SYSTEM32\r0r60a~1.dll
    C:\WINDOWS\SYSTEM32\sapicp~1.man
    C:\WINDOWS\SYSTEM32\window~1.man
    C:\WINDOWS\SYSTEM32\wuaucp~1.man

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "OK" at any PendingRenameOperations prompt.

Double-click on find.bat and post the new output.txt.

Danny :)

Edited by Danny
Link to post
Share on other sites
Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Click on the "All Files" button.

  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    C:\WINDOWS\System32\ivssuba.dll
    C:\WINDOWS\System32\r0r60a9sed.dll
    C:\WINDOWS\System32\kgdsf.dll
    C:\WINDOWS\System32\ibdetect.dll
    C:\WINDOWS\SYSTEM32\ibdetect.dll
    C:\WINDOWS\SYSTEM32\ivssuba.dll
    C:\WINDOWS\SYSTEM32\kgdsf.dll
    C:\WINDOWS\SYSTEM32\logonu~1.man
    C:\WINDOWS\SYSTEM32\ncpacp~1.man
    C:\WINDOWS\SYSTEM32\nwccpl~1.man
    C:\WINDOWS\SYSTEM32\r0r60a~1.dll
    C:\WINDOWS\SYSTEM32\sapicp~1.man
    C:\WINDOWS\SYSTEM32\window~1.man
    C:\WINDOWS\SYSTEM32\wuaucp~1.man

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "OK" at any PendingRenameOperations prompt.

Double-click on find.bat and post the new output.txt.

Danny :)

NEW OUTPUT LOG>>>>>>>>>>>>>.

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Sean\My Documents\My Downloads\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

02/05/2006 10:56 AM <DIR> dllcache

02/04/2006 03:56 AM <DIR> Microsoft

0 File(s) 0 bytes

2 Dir(s) 44,617,871,360 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

02/05/2006 10:56 AM <DIR> dllcache

02/04/2006 03:51 AM 749 cdplayer.exe.manifest

1 File(s) 749 bytes

1 Dir(s) 44,617,871,360 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.

Volume Serial Number is 88DA-5EDA

Directory of C:\WINDOWS\System32

08/10/2004 06:00 AM 2,577 CONFIG.TMP

1 File(s) 2,577 bytes

0 Dir(s) 44,617,871,360 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpprintx]

"DllName"=hex(2):68,70,70,72,69,6e,74,78,2e,64,6c,6c,00

"Startup"="hpprintx"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

"MaxWait"=dword:00000001

"nk453id"="[20882906427633-NG-Sean]"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\

cdplay~1.man Sat Feb 4 2006 3:51:04a A..HR 749 0.73 K

1 item found: 1 file, 0 directories.

Total of file sizes: 749 bytes 0.73 K

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack

C:\WINDOWS\system32\MRT.exe: (ASPack)

C:\WINDOWS\system32\MRT.exe: (AsPack2k)

C:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.1)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.12)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.11)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.000)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.001)

C:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)

C:\WINDOWS\system32\MRT.exe: ASPack2000

C:\WINDOWS\system32\MRT.exe: ASPack 1.61

C:\WINDOWS\system32\MRT.exe: ASPack 1.084

C:\WINDOWS\system32\MRT.exe: ASPack 1.083

C:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b

C:\WINDOWS\system32\MRT.exe: ASPack 1.07b

C:\WINDOWS\system32\MRT.exe: ASPack 1.05b

C:\WINDOWS\system32\MRT.exe: ASPack 1.02

C:\WINDOWS\system32\MRT.exe: ASPACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\MRT.exe: aspACK

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE"

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"

"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

Link to post
Share on other sites

Hi,

Can you please try this:

Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.

http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Link to post
Share on other sites
  • 1 month later...
Guest
This topic is now closed to further replies.