pperpich

I have a copy of ERD commander handy. If I could get infect a machine locally I could use that to find registry entries and files...

MicroBell

pperpich:

Lets try the following...

There's a 5-day trial program called Adware Away . It has success stories of removing these programs listed here http://adwareaway.com/list.htm

Run Adware Away, to ensure IGetNet is not present follow these steps as well.

The IGetNet infection removal this infection also tampers with the recycle bin so once you clean with Cleanup check your recycle bin manually to ensure files are gone.

Download and remove IGN Keywords, try this uninstaller: http://www.igetnet.com/downloads/NLNuninstall.exe

Then the look2me Uninstaller
http://www.look2me.com/cgi-bin/UnInstaller


Download the following tool and install it in its own folder:

http://www.hijackthislogs.com/dl/VX2Finder(126).exe

Press 'Click to Find VX2.BetterInternet.
Press 'Make Log' and post it in this thread for review

Now download PrcView Unzip it to it's own folder on C:\ Run PrcView...click View...Module Usage. Once that opens...hit F2...save it as a text file. Post that log in your next post.

FYI..Forgot to add...we are going after the offending DLL and EXE in this process and once we ID it...we will also be editing the registry keys out.

__________________

MicroBell

pperpich:

You will need to following tools at one point or another...so please get them when you have time..

Look2 Me uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.igetnet.com/downloads/NLNuninstall.exe
LSP Fix http://www.greyknight17.com/spy/Winsock2Fix.zip
PrcView http://www.pcworld.com/downloads/fil...id,6102,00.asp
Adware Away http://adwareaway.com/download/AdwareAway.exe
Hoster http://members.aol.com/toadbee/hoster.zip
Cleanup http://cleanup.stevengould.org/
CWS Reg Cleaner http://www.hijackthislogs.com/dl/cws_swapx.reg
KillBox http://www.greyknight17.com/spy/killbox.zip

__________________

pperpich

Sounds good, thanks again. I'll get started on that in the morning. I had hoped to infect a PC as a test machine to work on this from home too, but had no luck. can you believe that? :)

pperpich

Ok, downloaded all those programs and am now following the directions above. I hope you still want me to try those as I noticed you had a much longer recommendation here:

http://techsupportforum.com/showthread.php?t=26465

Adware Away found 11 objects. mostly LSP, but also SahAgent.exe. -- All removed

Recycle bin icon shows there is stuff in there, but when I open it there is nothing in there. When I try to empty it there are 5 items it says...but I can try to empty it over and over with no success. Cleanup didn't help this either.

NLNUninstall crashes when run.

Look2me - no application found it said.

VX2 LOG:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---
C:\WINNT\system32\spOrder.dll

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---Extensions
Keys Under Notify---igfxcui
Keys Under Notify---NavLogon
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---wzcnotif


Guardian Key--- is called:

User Agent String---
{927063D6-1200-4F68-8450-38CFBB94726C}

PRCView module Log:

smss.exe 48580000 57344 1 C:\WINNT\System32\smss.exe
VNCHOOKS.DLL 036d0000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
msv1_0.dll 035a0000 135168 1 C:\WINNT\system32\msv1_0.dll
cryptnet.dll 7c700000 73728 1 C:\WINNT\system32\cryptnet.dll
WZCSAPI.DLL 02ec0000 40960 1 C:\WINNT\system32\WZCSAPI.DLL
wzcdlg.dll 02ea0000 69632 1 C:\WINNT\system32\wzcdlg.dll
ktjul7191.dll 01f80000 479232 1 C:\WINNT\system32\ktjul7191.dll
CERTCLI.DLL 75570000 147456 1 C:\WINNT\system32\CERTCLI.DLL
WlNotify.dll 76920000 65536 1 C:\WINNT\system32\WlNotify.dll
lsp.dll 015d0000 57344 1 C:\WINNT\system32\lsp.dll
mscat32.dll 76a00000 20480 1 C:\WINNT\system32\mscat32.dll
msgina.dll 76b90000 348160 1 C:\WINNT\system32\msgina.dll
PROFMAP.dll 690f0000 45056 1 C:\WINNT\system32\PROFMAP.dll
NDdeApi.dll 769a0000 28672 1 C:\WINNT\system32\NDdeApi.dll
winlogon.exe 01000000 192512 1 C:\WINNT\system32\winlogon.exe
wmicore.dll 76750000 86016 1 C:\WINNT\system32\wmicore.dll
browser.dll 7c4c0000 81920 1 C:\WINNT\system32\browser.dll
w32time.dll 76790000 61440 1 C:\WINNT\system32\w32time.dll
trkwks.dll 767c0000 102400 1 C:\WINNT\system32\trkwks.dll
seclogon.dll 76800000 28672 1 C:\WINNT\system32\seclogon.dll
psbase.dll 765f0000 126976 1 C:\WINNT\system32\psbase.dll
cryptsvc.dll 768d0000 81920 1 C:\WINNT\system32\cryptsvc.dll
msgsvc.dll 76870000 49152 1 C:\WINNT\system32\msgsvc.dll
Srvsvc.dll 767e0000 90112 1 C:\WINNT\system32\Srvsvc.dll
dmserver.dll 768c0000 24576 1 C:\WINNT\system32\dmserver.dll
ESENT.dll 70170000 1155072 1 C:\WINNT\system32\ESENT.dll
wkssvc.dll 76770000 110592 1 C:\WINNT\system32\wkssvc.dll
lmhsvc.dll 76880000 24576 1 C:\WINNT\system32\lmhsvc.dll
dnsrslvr.dll 768a0000 102400 1 C:\WINNT\system32\dnsrslvr.dll
eventlog.dll 76890000 61440 1 C:\WINNT\system32\eventlog.dll
SCESRV.DLL 76460000 266240 1 C:\WINNT\system32\SCESRV.DLL
UMPNPMGR.DLL 767a0000 98304 1 C:\WINNT\system32\UMPNPMGR.DLL
services.exe 01000000 98304 1 C:\WINNT\system32\services.exe
dssenh.dll 67400000 159744 1 C:\WINNT\system32\dssenh.dll
oakley.DLL 7c4e0000 528384 1 C:\WINNT\system32\oakley.DLL
polagent.dll 764e0000 122880 1 C:\WINNT\system32\polagent.dll
lsp.dll 01150000 57344 1 C:\WINNT\system32\lsp.dll
rsaenh.dll 01120000 143360 1 C:\WINNT\system32\rsaenh.dll
scecli.dll 76430000 122880 1 C:\WINNT\system32\scecli.dll
netlogon.dll 76580000 380928 1 C:\WINNT\system32\netlogon.dll
msprivs.dll 765e0000 57344 1 C:\WINNT\system32\msprivs.dll
SAMSRV.DLL 7c3b0000 397312 1 C:\WINNT\system32\SAMSRV.DLL
LSASRV.dll 78540000 528384 1 C:\WINNT\system32\LSASRV.dll
lsass.exe 01000000 40960 1 C:\WINNT\system32\lsass.exe
msv1_0.dll 782d0000 135168 2 C:\WINNT\system32\msv1_0.dll
lsp.dll 00540000 57344 1 C:\WINNT\system32\lsp.dll
rsaenh.dll 7ca00000 143360 3 C:\WINNT\system32\rsaenh.dll
rpcss.dll 7c830000 274432 1 c:\winnt\system32\rpcss.dll
inetpp.dll 76b00000 77824 1 C:\WINNT\system32\inetpp.dll
win32spl.dll 76a50000 126976 1 C:\WINNT\system32\win32spl.dll
lsp.dll 00dd0000 57344 1 C:\WINNT\system32\lsp.dll
usbmon.dll 76a70000 24576 1 C:\WINNT\system32\usbmon.dll
tcpmon.dll 76a80000 53248 1 C:\WINNT\system32\tcpmon.dll
pjlmon.dll 76ab0000 28672 1 C:\WINNT\system32\pjlmon.dll
LPRHELP.dll 6ca50000 24576 1 C:\WINNT\system32\LPRHELP.dll
lprmon.dll 6ca40000 32768 1 C:\WINNT\system32\lprmon.dll
LNCPrinterPort.dll 00d70000 65536 1 C:\WINNT\system32\LNCPrinterPort.dll
CCMONNT.DLL 10180000 69632 1 C:\WINNT\system32\CCMONNT.DLL
cnbjmon.dll 733e0000 57344 1 C:\WINNT\system32\cnbjmon.dll
localspl.dll 76120000 270336 1 C:\WINNT\system32\localspl.dll
SPOOLSS.DLL 76a90000 94208 1 C:\WINNT\system32\SPOOLSS.DLL
spoolsv.exe 01000000 53248 1 C:\WINNT\system32\spoolsv.exe
VNCHOOKS.DLL 01c70000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
Cwbnetnt.dll 67870000 24576 1 C:\Program Files\IBM\Client Access\Shared\Cwbnetnt.dll
lsp.dll 01560000 57344 1 C:\WINNT\system32\lsp.dll
AClient.exe 00400000 4853760 1 C:\Program Files\Altiris\AClient\AClient.exe
VNCHOOKS.DLL 08e10000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
msi.dll 07410000 2113536 1 C:\WINNT\system32\msi.dll
rsaenh.dll 063a0000 143360 1 C:\WINNT\system32\rsaenh.dll
CRYPTDLL.DLL 76670000 57344 5 C:\WINNT\system32\CRYPTDLL.DLL
kerberos.dll 78280000 221184 4 C:\WINNT\system32\kerberos.dll
Perfctrs.dll 692c0000 53248 1 C:\WINNT\system32\Perfctrs.dll
tapiperf.dll 66e80000 20480 1 C:\WINNT\system32\tapiperf.dll
rsvpperf.dll 685b0000 24576 1 C:\WINNT\System32\rsvpperf.dll
rasctrs.dll 68c20000 24576 1 C:\WINNT\System32\rasctrs.dll
perfproc.dll 69270000 40960 1 C:\WINNT\system32\perfproc.dll
perfos.dll 69280000 36864 1 C:\WINNT\system32\perfos.dll
perfnet.dll 692a0000 32768 1 C:\WINNT\system32\perfnet.dll
perfdisk.dll 692b0000 32768 1 C:\WINNT\system32\perfdisk.dll
MSDTCLOG.dll 6b6f0000 126976 1 C:\WINNT\system32\MSDTCLOG.dll
MFC42u.DLL 76fb0000 1028096 2 C:\WINNT\system32\MFC42u.DLL
msdtcui.DLL 6b510000 184320 1 C:\WINNT\system32\msdtcui.DLL
loadperf.dll 754d0000 81920 1 C:\WINNT\System32\loadperf.dll
snmpapi.dll 754c0000 32768 1 C:\WINNT\System32\snmpapi.dll
MSVCP50.dll 780c0000 577536 1 C:\WINNT\System32\MSVCP50.dll
iasperf.dll 6ec10000 32768 1 C:\WINNT\System32\iasperf.dll
faxperf.dll 70040000 20480 1 C:\WINNT\system32\faxperf.dll
query.dll 785d0000 1454080 1 C:\WINNT\system32\query.dll
aspnet_isapi.dll 79e60000 266240 1 C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
MSVCR71.dll 053c0000 352256 1 C:\WINNT\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll
perfcounter.dll 79970000 90112 1 C:\WINNT\Microsoft.NET\Framework\v1.1.4322\perfcounter.dll
mscoree.dll 79170000 155648 1 C:\WINNT\system32\mscoree.dll
netfxperf.dll 79fd0000 32768 1 C:\WINNT\system32\netfxperf.dll
pdh.dll 692e0000 159744 1 C:\WINNT\system32\pdh.dll
AeXSystemPerformance.dll 04870000 172032 1 C:\WINNT\system32\AeXSystemPerformance.dll
AeXPackageDelivery.dll 03dc0000 475136 1 C:\Program Files\Common Files\Altiris\AeXPackageDelivery.dll
rsabase.dll 7ca00000 143360 2 C:\WINNT\system32\rsabase.dll
lsp.dll 031a0000 57344 1 C:\WINNT\system32\lsp.dll
AeXAMAgent.dll 023f0000 331776 1 C:\Program Files\Altiris\eXpress\NS Client\AeXAMAgent.dll
PatchMgmtAgents.dll 02230000 618496 1 C:\Program Files\Altiris\PatchMgmtAgent\PatchMgmtAgents.dll
AeXBasicInventory.dll 020a0000 360448 1 C:\Program Files\Altiris\eXpress\NS Client\AeXBasicInventory.dll
AeXSWDAgent.dll 01ea0000 983040 1 C:\Program Files\Altiris\eXpress\NS Client\AeXSWDAgent.dll
AeXNetComms.dll 01c70000 868352 1 C:\Program Files\Common Files\Altiris\AeXNetComms.dll
AeXTaskSchedulerLib.dll 019f0000 446464 1 C:\Program Files\Altiris\eXpress\NS Client\AeXTaskSchedulerLib.dll
AeXAgentUI.dll 01950000 577536 1 C:\Program Files\Altiris\eXpress\NS Client\AeXAgentUI.dll
msxml3.dll 74980000 1245184 1 C:\WINNT\system32\msxml3.dll
AeXNSAgent.exe 00400000 552960 1 C:\Program Files\Altiris\eXpress\NS Client\AeXNSAgent.exe
ccsrvc.exe 30010000 20480 1 C:\WINNT\system32\ccsrvc.exe
lsp.dll 00fa0000 57344 1 C:\WINNT\system32\lsp.dll
CWBARMSG.DLL 629b0000 16384 1 C:\Program Files\IBM\Client Access\Mri2924\CWBARMSG.DLL
CWBMSGB.DLL 63670000 16384 1 C:\Program Files\IBM\Client Access\Mri2924\CWBMSGB.DLL
cwbbb.dll 67680000 28672 1 C:\WINNT\system32\cwbbb.dll
cwbar.dll 67690000 24576 1 C:\WINNT\system32\cwbar.dll
cwbco.dll 675b0000 266240 1 C:\WINNT\system32\cwbco.dll
CWBRXD.EXE 00400000 53248 1 C:\WINNT\CWBRXD.EXE
VNCHOOKS.DLL 01ea0000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
lsp.dll 015b0000 57344 1 C:\WINNT\system32\lsp.dll
cdwsock.dll 10230000 163840 1 C:\PROGRA~1\Altiris\CARBON~1\cdwsock.dll
gcc.dll 10300000 53248 1 C:\PROGRA~1\Altiris\CARBON~1\gcc.dll
CCDOSKEY.DLL 10130000 28672 1 C:\Program Files\Altiris\Carbon Copy\CCDOSKEY.DLL
iutility.dll 10350000 81920 1 C:\Program Files\Altiris\Carbon Copy\iutility.dll
SECUI.DLL 106a0000 53248 1 C:\Program Files\Altiris\Carbon Copy\SECUI.DLL
MSVCP60.dll 104e0000 397312 1 C:\Program Files\Altiris\Carbon Copy\MSVCP60.dll
MsgLog.dll 104d0000 53248 1 C:\Program Files\Altiris\Carbon Copy\MsgLog.dll
userprof.dll 106d0000 229376 1 C:\Program Files\Altiris\Carbon Copy\userprof.dll
NETINFO.dll 10550000 28672 1 C:\Program Files\Altiris\Carbon Copy\NETINFO.dll
CommDevs.dll 10270000 49152 1 C:\Program Files\Altiris\Carbon Copy\CommDevs.dll
PhoneBk.dll 10560000 110592 1 C:\Program Files\Altiris\Carbon Copy\PhoneBk.dll
Platform.dll 10580000 98304 1 C:\Program Files\Altiris\Carbon Copy\Platform.dll
registry.dll 10650000 163840 1 C:\Program Files\Altiris\Carbon Copy\registry.dll
CONMGRUI.dll 10280000 159744 1 C:\Program Files\Altiris\Carbon Copy\CONMGRUI.dll
MCMSGBOX.dll 10390000 40960 1 C:\Program Files\Altiris\Carbon Copy\MCMSGBOX.dll
shellker.exe 30760000 593920 1 C:\Program Files\Altiris\Carbon Copy\shellker.exe
DefWatch.exe 00400000 32768 1 c:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
WMI.dll 76110000 16384 1 C:\WINNT\System32\WMI.dll
netman.dll 76270000 106496 1 c:\winnt\system32\netman.dll
NTMSDBA.dll 76240000 180224 1 C:\WINNT\System32\NTMSDBA.dll
WinSCard.dll 76960000 94208 2 C:\WINNT\System32\WinSCard.dll
SCHANNEL.dll 78160000 159744 2 C:\WINNT\System32\SCHANNEL.dll
WINTRUST.dll 76930000 176128 2 C:\WINNT\System32\WINTRUST.dll
CRYPTUI.dll 75940000 454656 1 C:\WINNT\System32\CRYPTUI.dll
rastls.dll 7c020000 114688 1 C:\WINNT\System32\rastls.dll
raschap.dll 7c000000 69632 1 C:\WINNT\System32\raschap.dll
ntlsapi.dll 756e0000 20480 1 C:\WINNT\System32\ntlsapi.dll
rasppp.dll 75900000 212992 1 C:\WINNT\System32\rasppp.dll
h323.tsp 64560000 278528 1 C:\WINNT\System32\h323.tsp
ipconf.tsp 64550000 24576 1 C:\WINNT\System32\ipconf.tsp
ndptsp.tsp 64530000 49152 1 C:\WINNT\System32\ndptsp.tsp
kmddsp.tsp 64540000 32768 1 C:\WINNT\System32\kmddsp.tsp
CFGMGR32.dll 770b0000 28672 2 C:\WINNT\System32\CFGMGR32.dll
uniplat.dll 75600000 28672 1 C:\WINNT\System32\uniplat.dll
unimdm.tsp 644d0000 212992 1 C:\WINNT\System32\unimdm.tsp
rastapi.dll 75670000 65536 1 C:\WINNT\System32\rastapi.dll
RASDLG.dll 75870000 536576 1 c:\winnt\system32\RASDLG.dll
netcfgx.dll 6a4b0000 561152 1 c:\winnt\system32\netcfgx.dll
rasmans.dll 75710000 176128 1 c:\winnt\system32\rasmans.dll
RESUTILS.DLL 689d0000 53248 2 C:\WINNT\System32\RESUTILS.DLL
CLUSAPI.DLL 73930000 65536 2 C:\WINNT\System32\CLUSAPI.DLL
MTXCLU.DLL 6a7a0000 65536 2 C:\WINNT\System32\MTXCLU.DLL
MSDTCPRX.dll 6df80000 749568 2 C:\WINNT\System32\MSDTCPRX.dll
COMSVCS.DLL 78740000 1503232 1 C:\WINNT\System32\COMSVCS.DLL
tapisrv.dll 66df0000 180224 1 c:\winnt\system32\tapisrv.dll
sens.dll 76180000 49152 1 c:\winnt\system32\sens.dll
ntmssvc.dll 761d0000 409600 1 c:\winnt\system32\ntmssvc.dll
ntmulti.exe 00400000 61440 1 C:\Lotus\Notes\ntmulti.exe
VNCHOOKS.DLL 06450000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
Dec2TNEF.dll 06430000 69632 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2TNEF.dll
Dec2TAR.dll 51b70000 45056 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2TAR.dll
Dec2RTF.dll 51b50000 61440 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2RTF.dll
Dec2SS.dll 51b60000 53248 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2SS.dll
Dec2MIME.dll 51b30000 102400 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2MIME.dll
Dec2LZ.dll 51b20000 36864 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2LZ.dll
Dec2LHA.dll 51b00000 77824 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2LHA.dll
Dec2HQX.dll 51ae0000 40960 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2HQX.dll
Dec2GZIP.dll 51ac0000 77824 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2GZIP.dll
Dec2EXE.dll 51a70000 61440 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2EXE.dll
Dec2CAB.dll 51a60000 61440 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2CAB.dll
Dec2ARJ.dll 51a50000 40960 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2ARJ.dll
Dec2AMG.dll 51a30000 90112 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2AMG.dll
Dec2UUE.dll 51b90000 45056 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2UUE.dll
Dec2ID.dll 51af0000 36864 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2ID.dll
Dec2ZIP.dll 51ba0000 217088 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2ZIP.dll
Dec2.dll 51a20000 32768 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Dec2.dll
DecSDK.dll 51be0000 57344 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DecSDK.dll
NAVAP32.DLL 51300000 57344 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAP32.DLL
NAVENG32.DLL 692c0000 118784 1 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041202.036\NAVENG32.DLL
NAVEX32a.DLL 69100000 688128 1 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20041202.036\NAVEX32a.DLL
NotesExt.dll 516f0000 77824 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NotesExt.dll
NAVAPI32.DLL 51370000 200704 1 c:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAPI32.DLL
i2ldvp3.dll 51480000 315392 1 c:\PROGRA~1\SYMANT~1\SYMANT~1\i2ldvp3.dll
lsp.dll 00e70000 57344 1 C:\WINNT\system32\lsp.dll
NAVNTUTL.DLL 00d50000 53248 1 c:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL
NAVLU.dll 516a0000 69632 1 c:\PROGRA~1\SYMANT~1\SYMANT~1\NAVLU.dll
Rtvscan.exe 00400000 958464 1 c:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
regsvc.exe 01000000 86016 1 C:\WINNT\system32\regsvc.exe
lsp.dll 01020000 57344 1 C:\WINNT\system32\lsp.dll
PDS.DLL 50270000 73728 2 C:\WINNT\system32\PDS.DLL
NTS.dll 50250000 81920 2 C:\WINNT\system32\NTS.dll
MsgSys.dll 50240000 40960 2 C:\WINNT\system32\MsgSys.dll
CBA.DLL 501e0000 28672 2 C:\WINNT\system32\CBA.DLL
Transman.dll 007e0000 450560 1 c:\Program Files\Common Files\Symantec Shared\SSC\Transman.dll
SavRoam.exe 00400000 147456 1 C:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
VNCHOOKS.DLL 01020000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
MSIDLE.DLL 76a40000 24576 1 C:\WINNT\system32\MSIDLE.DLL
lsp.dll 00840000 57344 1 C:\WINNT\system32\lsp.dll
mswsock.dll 74ff0000 73728 6 C:\WINNT\system32\mswsock.dll
MSTask.exe 01000000 126976 1 C:\WINNT\system32\MSTask.exe
wbemcomn.dll 65c20000 708608 1 C:\WINNT\System32\WBEM\wbemcomn.dll
WinMgmt.exe 00400000 196608 1 C:\WINNT\System32\WBEM\WinMgmt.exe
winhttp.dll 76080000 327680 3 C:\WINNT\system32\winhttp.dll
msv1_0.dll 00a00000 135168 1 C:\WINNT\system32\msv1_0.dll
TxfAux.Dll 6de80000 409600 3 C:\WINNT\System32\TxfAux.Dll
es.dll 76290000 249856 3 C:\WINNT\System32\es.dll
NTMARTA.DLL 69bf0000 118784 4 C:\WINNT\system32\NTMARTA.DLL
REGAPI.dll 68a80000 45056 1 C:\WINNT\system32\REGAPI.dll
UTILDLL.dll 66640000 40960 1 C:\WINNT\system32\UTILDLL.dll
WTSAPI32.dll 655e0000 28672 1 C:\WINNT\system32\WTSAPI32.dll
WINSTA.dll 65780000 53248 4 C:\WINNT\system32\WINSTA.dll
ADVPACK.dll 715f0000 159744 1 C:\WINNT\system32\ADVPACK.dll
wuaueng.dll 00480000 204800 1 C:\WINNT\system32\wuaueng.dll
wuauserv.dll 00460000 24576 1 c:\winnt\system32\wuauserv.dll
svchost.exe 01000000 20480 3 C:\WINNT\system32\svchost.exe
VNCHOOKS.DLL 01c30000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
qsqoui.dll 01bc0000 36864 1 C:\WINNT\system32\qsqoui.dll
sensapi.dll 75ab0000 20480 3 C:\WINNT\system32\sensapi.dll
pjxdll.dll 007f0000 479232 1 C:\WINNT\system32\pjxdll.dll
rundll32.exe 01000000 16384 1 C:\WINNT\system32\rundll32.exe
CWBMSGB.DLL 04910000 16384 1 C:\Program Files\IBM\Client Access\Mri2924\CWBMSGB.DLL
cwbab1.dll 676c0000 24576 2 C:\WINNT\system32\cwbab1.dll
cwbuireg.dll 67170000 28672 2 C:\WINNT\system32\cwbuireg.dll
cwbnldlg.dll 67490000 24576 2 C:\WINNT\system32\cwbnldlg.dll
cwbmsgbx.dll 674e0000 36864 2 C:\WINNT\system32\cwbmsgbx.dll
cwbad.dll 676b0000 53248 2 C:\WINNT\system32\cwbad.dll
cwbnltrn.dll 67480000 24576 2 C:\WINNT\system32\cwbnltrn.dll
cwbab.dll 676d0000 45056 2 C:\WINNT\system32\cwbab.dll
cwbadnrt.dll 668d0000 73728 2 C:\WINNT\system32\cwbadnrt.dll
cwbcftft.dll 67600000 24576 2 C:\WINNT\system32\cwbcftft.dll
cwbcf.dll 67610000 98304 2 C:\WINNT\system32\cwbcf.dll
cwbnl1.dll 674a0000 36864 2 C:\WINNT\system32\cwbnl1.dll
MSVCIRT.dll 780a0000 73728 2 C:\WINNT\system32\MSVCIRT.dll
cwbrw.dll 673a0000 172032 2 C:\WINNT\system32\cwbrw.dll
cwbbb1.dll 67670000 32768 2 C:\WINNT\system32\cwbbb1.dll
cwbsv.dll 671a0000 114688 2 C:\WINNT\system32\cwbsv.dll
cwbnl.dll 674b0000 98304 2 C:\WINNT\system32\cwbnl.dll
cwbunddh.dll 654d0000 32768 1 C:\Program Files\IBM\Client Access\Shared\cwbunddh.dll
hccutils.DLL 047b0000 122880 1 C:\WINNT\system32\hccutils.DLL
igfxpph.dll 04770000 225280 1 C:\WINNT\system32\igfxpph.dll
jscript.dll 6b700000 589824 1 C:\WINNT\system32\jscript.dll
mshtmled.dll 70f30000 450560 1 C:\WINNT\system32\mshtmled.dll
IMM32.DLL 75e60000 106496 2 C:\WINNT\system32\IMM32.DLL
gzgoql.dll 03850000 20480 1 C:\WINNT\system32\gzgoql.dll
USP10.DLL 66650000 344064 1 C:\WINNT\system32\USP10.DLL
occache.dll 037f0000 98304 1 C:\WINNT\system32\occache.dll
mstask.dll 6ac20000 225280 1 C:\WINNT\System32\mstask.dll
msadp32.acm 75d40000 24576 1 C:\WINNT\system32\msadp32.acm
imgutil.dll 70510000 40960 1 C:\WINNT\system32\imgutil.dll
webvw.dll 658f0000 1130496 1 C:\WINNT\System32\webvw.dll
MSLS31.DLL 75ac0000 163840 1 C:\WINNT\system32\MSLS31.DLL
mshtml.dll 63580000 2830336 1 C:\WINNT\system32\mshtml.dll
mlang.dll 70440000 585728 1 C:\WINNT\system32\mlang.dll
faxshell.dll 70020000 20480 1 C:\WINNT\system32\faxshell.dll
AVIFIL32.DLL 74870000 90112 1 C:\WINNT\System32\AVIFIL32.DLL
MSVFW32.DLL 6a8f0000 131072 1 C:\WINNT\System32\MSVFW32.DLL
docprop2.dll 71f00000 315392 1 C:\WINNT\System32\docprop2.dll
browselc.dll 71960000 73728 1 C:\WINNT\system32\browselc.dll
tds3shl.dll 02c60000 32768 1 C:\WINNT\system32\tds3shl.dll
vpshell2.dll 02c10000 40960 1 c:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
VNCHOOKS.DLL 02770000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
LINKINFO.DLL 76710000 32768 1 C:\WINNT\system32\LINKINFO.DLL
shdoclc.dll 718c0000 540672 1 C:\WINNT\system32\shdoclc.dll
qsqoui.dll 02310000 36864 1 C:\WINNT\system32\qsqoui.dll
MSACM32.dll 77410000 77824 2 C:\WINNT\system32\MSACM32.dll
msacm32.drv 77400000 32768 2 C:\WINNT\system32\msacm32.drv
wdmaud.drv 77560000 32768 2 C:\WINNT\system32\wdmaud.drv
MSI.DLL 01db0000 2113536 1 C:\WINNT\system32\MSI.DLL
POWRPROF.DLL 766f0000 28672 1 C:\WINNT\system32\POWRPROF.DLL
BATMETER.DLL 76740000 32768 1 C:\WINNT\system32\BATMETER.DLL
stobject.dll 766d0000 98304 1 C:\WINNT\system32\stobject.dll
webcheck.dll 70340000 266240 1 C:\WINNT\system32\webcheck.dll
NETSHELL.dll 76f20000 487424 2 C:\WINNT\system32\NETSHELL.dll
mydocs.dll 76df0000 69632 1 C:\WINNT\system32\mydocs.dll
urlmon.dll 1a400000 503808 4 C:\WINNT\system32\urlmon.dll
oledlg.dll 752f0000 126976 3 C:\WINNT\system32\oledlg.dll
pjxdll.dll 00fc0000 479232 1 C:\WINNT\system32\pjxdll.dll
SHDOCVW.DLL 00e20000 1347584 1 C:\WINNT\system32\SHDOCVW.DLL
AcLayers.DLL 23000000 352256 1 C:\WINNT\AppPatch\AcLayers.DLL
Explorer.EXE 00400000 253952 1 C:\WINNT\Explorer.EXE
VNCHOOKS.DLL 01270000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
SECUI.DLL 106a0000 53248 1 C:\PROGRA~1\Altiris\CARBON~1\SECUI.DLL
shim.dll 732e0000 151552 2 C:\WINNT\system32\shim.dll
MSVCP60.dll 104e0000 397312 1 C:\PROGRA~1\Altiris\CARBON~1\MSVCP60.dll
MsgLog.dll 104d0000 53248 1 C:\PROGRA~1\Altiris\CARBON~1\MsgLog.dll
userprof.dll 106d0000 229376 1 C:\PROGRA~1\Altiris\CARBON~1\userprof.dll
MCMSGBOX.dll 10390000 40960 1 C:\PROGRA~1\Altiris\CARBON~1\MCMSGBOX.dll
NETINFO.dll 10550000 28672 1 C:\PROGRA~1\Altiris\CARBON~1\NETINFO.dll
CommDevs.dll 10270000 49152 1 C:\PROGRA~1\Altiris\CARBON~1\CommDevs.dll
Platform.dll 10580000 98304 1 C:\PROGRA~1\Altiris\CARBON~1\Platform.dll
registry.dll 10650000 163840 1 C:\PROGRA~1\Altiris\CARBON~1\registry.dll
PhoneBk.dll 10560000 110592 1 C:\PROGRA~1\Altiris\CARBON~1\PhoneBk.dll
client.exe 00400000 606208 1 C:\PROGRA~1\Altiris\CARBON~1\client.exe
VNCHOOKS.DLL 01350000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
qsqoui.dll 010a0000 36864 1 C:\WINNT\system32\qsqoui.dll
igfxress.dll 00fb0000 913408 1 C:\WINNT\system32\igfxress.dll
igfxres.dll 00f70000 159744 1 C:\WINNT\system32\igfxres.dll
igfxsrvc.dll 00f00000 331776 1 C:\WINNT\system32\igfxsrvc.dll
igfxdev.dll 00e40000 159744 1 C:\WINNT\system32\igfxdev.dll
AMInit.dll 007b0000 69632 1 C:\WINNT\system32\AMInit.dll
igfxtray.exe 00400000 176128 1 C:\WINNT\system32\igfxtray.exe
VNCHOOKS.DLL 01390000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
qsqoui.dll 010e0000 36864 1 C:\WINNT\system32\qsqoui.dll
igfxres.dll 00fa0000 159744 1 C:\WINNT\system32\igfxres.dll
igfxhk.dll 00f60000 135168 1 C:\WINNT\system32\igfxhk.dll
igfxsrvc.dll 00ef0000 331776 1 C:\WINNT\system32\igfxsrvc.dll
igfxdev.dll 00e30000 159744 1 C:\WINNT\system32\igfxdev.dll
AMInit.dll 007a0000 69632 1 C:\WINNT\system32\AMInit.dll
hccutils.DLL 10000000 122880 2 C:\WINNT\system32\hccutils.DLL
hkcmd.exe 00400000 126976 1 C:\WINNT\system32\hkcmd.exe
VNCHOOKS.DLL 012b0000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
qsqoui.dll 01140000 36864 1 C:\WINNT\system32\qsqoui.dll
lsp.dll 009b0000 57344 1 C:\WINNT\system32\lsp.dll
AClntUsr.EXE 00400000 196608 1 C:\Program Files\Altiris\AClient\AClntUsr.EXE
VNCHOOKS.DLL 01490000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
qsqoui.dll 01320000 36864 1 C:\WINNT\system32\qsqoui.dll
sfcfiles.dll 68010000 983040 6 C:\WINNT\system32\sfcfiles.dll
SFC.DLL 76980000 110592 5 C:\WINNT\system32\SFC.DLL
shfolder.dll 719b0000 32768 5 C:\WINNT\system32\shfolder.dll
WINMM.dll 77570000 196608 5 C:\WINNT\system32\WINMM.dll
Cliscan.dll 51420000 331776 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliscan.dll
NAVNTUTL.DLL 01060000 53248 1 C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVNTUTL.DLL
CTL3D32.dll 72e90000 69632 2 C:\WINNT\system32\CTL3D32.dll
Cliproxy.dll 513d0000 196608 1 c:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Cliproxy.dll
msi.dll 00c00000 2113536 1 C:\WINNT\system32\msi.dll
vptray.exe 00400000 98304 1 C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
VNCHOOKS.DLL 00fa0000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
qsqoui.dll 009e0000 36864 1 C:\WINNT\system32\qsqoui.dll
qttask.exe 00400000 81920 1 C:\Program Files\QuickTime\qttask.exe
VNCHOOKS.DLL 015c0000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
qsqoui.dll 01250000 36864 1 C:\WINNT\system32\qsqoui.dll
lsp.dll 00f70000 57344 1 C:\WINNT\system32\lsp.dll
LNCMsg.DLL 0ad20000 53248 1 C:\Program Files\LAUNCHER400\LNCMsg.DLL
LNCsrv.exe 0ad30000 409600 1 C:\Program Files\LAUNCHER400\LNCsrv.exe
VNCHOOKS.DLL 01330000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
lsp.dll 011b0000 57344 1 C:\WINNT\system32\lsp.dll
qsqoui.dll 01040000 36864 1 C:\WINNT\system32\qsqoui.dll
RICHED20.dll 772b0000 442368 2 C:\WINNT\system32\RICHED20.dll
RICHED32.DLL 76b20000 20480 2 C:\WINNT\system32\RICHED32.DLL
LNCadms.dll 0ad00000 139264 1 C:\Program Files\LAUNCHER400\LNCadms.dll
winspool.drv 77800000 122880 14 C:\WINNT\system32\winspool.drv
LNCadm.exe 00400000 942080 1 C:\Program Files\LAUNCHER400\LNCadm.exe
rasadhlp.dll 777f0000 20480 13 C:\WINNT\system32\rasadhlp.dll
winrnr.dll 777e0000 32768 15 C:\WINNT\System32\winrnr.dll
DHCPCSVC.DLL 77360000 102400 18 C:\WINNT\system32\DHCPCSVC.DLL
TAPI32.DLL 77530000 139264 19 C:\WINNT\system32\TAPI32.DLL
RASMAN.DLL 774c0000 69632 19 C:\WINNT\system32\RASMAN.DLL
RASAPI32.DLL 774e0000 208896 19 C:\WINNT\system32\RASAPI32.DLL
USERENV.DLL 7c0f0000 397312 19 C:\WINNT\system32\USERENV.DLL
SETUPAPI.DLL 77880000 581632 19 C:\WINNT\system32\SETUPAPI.DLL
RTUTILS.DLL 77830000 57344 19 C:\WINNT\system32\RTUTILS.DLL
ADSLDPC.DLL 77380000 143360 18 C:\WINNT\system32\ADSLDPC.DLL
ACTIVEDS.DLL 773b0000 192512 18 C:\WINNT\system32\ACTIVEDS.DLL
MPRAPI.DLL 77320000 94208 18 C:\WINNT\system32\MPRAPI.DLL
ICMP.DLL 77520000 20480 18 C:\WINNT\system32\ICMP.DLL
iphlpapi.dll 77340000 77824 18 C:\WINNT\system32\iphlpapi.dll
rnr20.dll 782c0000 49152 16 C:\WINNT\System32\rnr20.dll
wshtcpip.dll 75010000 28672 17 C:\WINNT\System32\wshtcpip.dll
msafd.dll 74fd0000 122880 17 C:\WINNT\system32\msafd.dll
MFC42.DLL 6c370000 1028096 18 C:\WINNT\system32\MFC42.DLL
lsp.dll 01270000 57344 1 C:\WINNT\system32\lsp.dll
AMInit.dll 10000000 69632 26 C:\WINNT\system32\AMInit.dll
VNCHOOKS.DLL 00230000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
WinVNC.exe 00400000 507904 1 C:\Program Files\ORL\VNC\WinVNC.exe
VNCHOOKS.DLL 006a0000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
regedit.exe 01000000 376832 1 C:\WINNT\regedit.exe
NETUI1.dll 751d0000 229376 3 C:\WINNT\System32\NETUI1.dll
NETUI0.dll 75210000 86016 3 C:\WINNT\System32\NETUI0.dll
ntlanman.dll 75160000 49152 3 C:\WINNT\System32\ntlanman.dll
MPR.DLL 76620000 65536 21 C:\WINNT\system32\MPR.DLL
SHDOCVW.dll 01720000 1347584 1 C:\WINNT\system32\SHDOCVW.dll
browseui.dll 71500000 1036288 2 C:\WINNT\system32\browseui.dll
SAMLIB.dll 75150000 61440 21 C:\WINNT\system32\SAMLIB.dll
NETRAP.dll 751c0000 24576 21 C:\WINNT\system32\NETRAP.dll
WLDAP32.DLL 77950000 172032 21 C:\WINNT\system32\WLDAP32.DLL
WSOCK32.DLL 75050000 32768 22 C:\WINNT\system32\WSOCK32.DLL
DNSAPI.DLL 77980000 147456 21 C:\WINNT\system32\DNSAPI.DLL
NTDSAPI.dll 77bf0000 69632 21 C:\WINNT\system32\NTDSAPI.dll
Secur32.dll 7c340000 61440 22 C:\WINNT\system32\Secur32.dll
NETAPI32.DLL 75170000 323584 21 C:\WINNT\system32\NETAPI32.DLL
ATL.DLL 773e0000 86016 4 C:\WINNT\system32\ATL.DLL
ntshrui.dll 76fa0000 61440 2 C:\WINNT\system32\ntshrui.dll
WS2HELP.DLL 75020000 32768 27 C:\WINNT\system32\WS2HELP.DLL
ws2_32.dll 75030000 81920 27 C:\WINNT\system32\ws2_32.dll
MSASN1.DLL 77430000 65536 21 C:\WINNT\system32\MSASN1.DLL
CRYPT32.dll 7c740000 552960 20 C:\WINNT\system32\CRYPT32.dll
WININET.dll 63000000 614400 15 C:\WINNT\system32\WININET.dll
IMAGEHLP.dll 77920000 143360 13 C:\WINNT\system32\IMAGEHLP.dll
qsqoui.dll 10000000 36864 2 C:\WINNT\system32\qsqoui.dll
CSCDLL.DLL 770c0000 143360 3 C:\WINNT\system32\CSCDLL.DLL
cscui.dll 77840000 253952 3 C:\WINNT\system32\cscui.dll
CLBCATQ.DLL 775a0000 589824 16 C:\WINNT\system32\CLBCATQ.DLL
OLEAUT32.DLL 779b0000 634880 29 C:\WINNT\system32\OLEAUT32.DLL
VNCHOOKS.DLL 007e0000 90112 1 C:\Program Files\ORL\VNC\VNCHOOKS.DLL
VDMDBG.DLL 66390000 40960 1 C:\WINNT\system32\VDMDBG.DLL
PSAPI.DLL 690a0000 45056 6 C:\WINNT\system32\PSAPI.DLL
LZ32.DLL 759b0000 24576 15 C:\WINNT\system32\LZ32.DLL
VERSION.dll 77820000 28672 15 C:\WINNT\system32\VERSION.dll
ole32.dll 77a50000 978944 29 C:\WINNT\system32\ole32.dll
SHELL32.DLL 782f0000 2379776 22 C:\WINNT\system32\SHELL32.DLL
COMCTL32.DLL 71710000 540672 27 C:\WINNT\system32\COMCTL32.DLL
msvcrt.dll 78000000 282624 30 C:\WINNT\system32\msvcrt.dll
RPCRT4.DLL 77d30000 462848 32 C:\WINNT\system32\RPCRT4.DLL
ADVAPI32.dll 7c2d0000 401408 32 C:\WINNT\system32\ADVAPI32.dll
SHLWAPI.DLL 63180000 430080 27 C:\WINNT\system32\SHLWAPI.DLL
comdlg32.dll 76b30000 253952 9 C:\WINNT\system32\comdlg32.dll
GDI32.DLL 77f40000 241664 30 C:\WINNT\system32\GDI32.DLL
USER32.dll 77e10000 413696 30 C:\WINNT\system32\USER32.dll
KERNEL32.dll 7c570000 733184 32 C:\WINNT\system32\KERNEL32.dll
ntdll.dll 77f80000 512000 33 C:\WINNT\system32\ntdll.dll
PrcView.exe 00400000 143360 1 C:\PrcView\PrcView.exe

MicroBell

pperpich:

Ok...few things. I crafted that fix.. http://techsupportforum.com/showthread.php?t=26465 after I posted in your thread. I'm not 100% it will work...so I was waiting to hear from him before we used it. If you want to try it..thats fine. But like I told him...go step by step and don't miss anything.

Before doing so...please reboot into safe mode and see if NLNUninstall will run. Also open your system32 folder and sort the files by date. There should be a few DLLS and EXE with the same size and date as these are created each time you reboot. Let me know how many there are and what their filename is. You will need to monitor these as any newly created ones will need to be deleted.

__________________

pperpich

Well, here we go again with not having the computer locally. Everyone in that office has left for the day so I can't walk someone through running that in safe mode. Shall I continue with the directions or wait until (eek!) Monday?

I'll be leaving in about an hour (woohoo, friday!). If I don't hear from you pretty quickly I'll follow yours directions anyway and hopefully that is what you'll have wanted.

Still haven't had any luck infecting a test machine locally. Been trying hard! ERD Commander would be nice IMO.

MicroBell

I think I would wait and run what I listed in the other thread on Monday. The thing is...you need this PC in front of you. If this PC is rebooted...then the files change...so this needs done in one continues run. For example...the BAD DLL rootkit...for the PC the you just ran PrcView on..is

C:\WINNT\system32\qsqoui.dll

This would need put into KILLBOX and select DELETE on reboot.

If the PC is turned off or rebooted this file name will change and need to be located again. As I said above if you monitor the system32 folder by date..it should pop out at ya..as it will be new.

__________________

pperpich

alright. I WISH I had the computer in front of me. I just can't seem to infect a PC locally to play with.

I went through the registry stuff for what its worth and the ONLY thing I had was:
HKEY_CURRENT_USER\software\vb and vba program settings\ie rsp

I didn't make it to the files yet. I'm heading out to the bar now. been a long week. heh. I will most likely be in this weekend and can continue then.

Has anyone successfully removed this thing yet?

I did search for some of the registry stuff to see if it was elsewhere and didn't have any luck.

Thanks!

MicroBell

pperpich:

First...Yes..I have seen this removed once so far. Anyway before you proceed any further I need some logs. Were going to approach this a little different then that other thread I posted. You will need some programs for the process so I will group them for you to download before the fix.

Programs Needed::

Kill2Me http://www.hijackthislogs.com/dl/kill2me.zip
PV http://www.hijackthislogs.com/dl/pv.zip
VX2Finder(126) http://www.hijackthislogs.com/dl/VX2Finder(126).exe
Hoster http://members.aol.com/toadbee/hoster.zip
CleanUp http://cleanup.stevengould.org/

==================================================

Process

1. Download Kill2Me from here and run
http://www.hijackthislogs.com/dl/kill2me.zip

2. Download this version of pv and unzip it to your desktop. (**Note** It MUST be on the desktop!) It will create it's own folder.

http://www.hijackthislogs.com/dl/pv.zip

Then proceed below..

1. Double click the runme.bat file.
2. Select option 3 and hit enter. Save the log that was generated.
3. Then select option 5. Save the log that was generated.

Copy and paste each of them into the next your next post.

3. Copy and paste the text below inside the quote box to notepad.
Save it to your desktop as type "all files" and name it notify.bat.

Then doublclick to run it. It will generate a text file named notify.txt. Copy and paste the contents into your next reply.

4. Download the latest vx2 finder here
http://www.hijackthislogs.com/dl/VX2Finder(126).exe

Click the "Find Vx2.Betterinternet" button. Click the Make Log button a post that log in your next reply.

So I need ALL 3 of these logs from the infected PC. Please note that during this removal process this PC can NOT be turned off or REBOOTED. Doing so...makes all 3 logs useless as the rootkits DLL (the baddie) file name will change. So if you have to wait a day to proceed with the next step in the fix..just make sure the PC is not rebooted.

__________________

submit2s

If you don't mind my helping, here are a few suggestions

Igetnet infection

It may be helpful to remove these keys. Bootup in safemode and follow these references:

Remove AutoRun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart001.exe, delete it and reboot the machine immediately.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart002, delete it and reboot the machine immediately.

Unregister these files if found, if not found in system32 check system and windows, the locations ie. c:\windows and c:\windows\system, check all locaiton for these files: To unregistry

Click the Start button, and select Run
Enter this command line:

regsvr32 /u c:\system\bho001.dll



bho.dll
nlnp13.dll
c:\system\bho001.dll
c:\system\install_all.dll
c:\system\rsp.dll
c:\system\rsp001.dll
c:\system\update_com.dll
c:\system\update_removeold.dll
c:\system32\bho001.dll
c:\system32\rsp.dll
c:\system32\rsp001.dll
update_hosts.dll

Remove these registry items (if present) with RegEdit, search for each one. I know it will take some time, but it's worth it. F3 under edit will take you to the next key:

HKEY_CLASSES_ROOT\bho.clsurlsearch
HKEY_CLASSES_ROOT\clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_CLASSES_ROOT\clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_CLASSES_ROOT\clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_CLASSES_ROOT\clsid\{676058e4-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_CLASSES_ROOT\clsid\{94742e3f-d9a1-4780-9a87-2ffa43655da2}
HKEY_CLASSES_ROOT\interface\{226a045e-fd4e-4632-b51d-a112bd8254e5}
HKEY_CLASSES_ROOT\interface\{3683fd85-0501-40dc-9edb-9d9181800d72}
HKEY_CLASSES_ROOT\interface\{3c8cde30-d013-4093-b00e-adbc74f33315}
HKEY_CLASSES_ROOT\interface\{676058e3-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\interface\{f6fbfe07-ca76-438e-b34e-4f4dc41f0123}
HKEY_CLASSES_ROOT\rsp.bizlgk
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_CLASSES_ROOT\typelib\{676058db-89bd-11d6-8a8c-0050ba8452c0}
HKEY_CLASSES_ROOT\typelib\{95b3af07-0e4f-4cdf-acfd-3d4efd9aec0b}
HKEY_CLASSES_ROOT\typelib\{974cc25e-d62c-4278-84e6-a806726e37bc}
HKEY_CLASSES_ROOT\typelib\{acba087f-1547-41de-8e9e-3f0963ce4bef}
HKEY_CURRENT_USER\software\vb and vba program settings\ie rsp
HKEY_LOCAL_MACHINE\clsid\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_LOCAL_MACHINE\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_LOCAL_MACHINE\software\classes\clsid\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_LOCAL_MACHINE\software\classes\rsp.bizlgk
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{60e78cac-e9a7-4302-b9ee-8582ede22fbf}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{730f2451-a3fe-4a72-938c-fc8a74f15978}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart001.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\winstart002
HKEY_USERS\s-1-5-21-1060284298-1450960922-725345543-1001\software\vb and vba program settings\ie rsp
HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\software\vb and vba program settings\ie rsp <==this one was present i suspect others

Remove these files with Windows Explorer if present. Make sure 'show all files' is enabled:

Check in control panel add/remove programs for a program call: ebatesmoemoneymaker if present, next find and delete these files starting with c:

bho.dll
ign fax cover.htm
inctrl.log
install.log
nlnp13.dll
nlnp13.exe
nlnupgradev4_00p1.exe
c:\documents and settings\username\local settings\temp\nlnp41.exe
c:\documents and settings\username\local settings\temporary internet files\content.ie5\khirgp6n\nlnp1w[1].exe
c:\documents and settings\username\local settings\temporary internet files\content.ie5\m6772vqj\nlnp1w[1].exe
c:\program files\ebatesmoemoneymaker\system\code\bi.class
c:\program files\ebatesmoemoneymaker\system\code\bj.class
c:\program files\ebatesmoemoneymaker\system\code\bk.class
c:\program files\ebatesmoemoneymak