|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-09-2005, 08:49 AM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
Hijack This Log Help
I recently purchased "Pest Patrol" to clean up my pc. Now, I find that it scans the pc but cannot get rid of a pest called "actualnames". Here is my hijack this file. I would appreciate any help you can give.
Logfile of HijackThis v1.98.2 Scan saved at 8:46:28 PM, on 3/25/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\stisvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE C:\WINDOWS\system32\nrnnnl.exe C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\system32\ntvdm.exe C:\AllanB\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://192.168.100.1/phone.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600" O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\nrnnnl.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [LDM] \Program\ O4 - HKCU\..\Run: [nvrseng] C:\WINDOWS\system32\nvrseng.exe O4 - HKCU\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /A "C:\WINDOWS\system32\E_S9.tmp" O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01117B00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/083a26c72b6ae13...tzip/RdxIE.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/alien.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O18 - Protocol: bw+0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw+0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw-0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw00s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw10s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw20s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw30s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw40s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw50s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw60s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw70s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw80s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bw90s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwa0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwb0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwc0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwd0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwe0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: offline-8876480 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-09-2005, 12:33 PM
|
#2 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,720
OS: 2000 Pro; XP Pro; XP Home
|
You have evidence of a rootkit hijacker. This one can be difficult to remove, and may take a few rounds to get all the associated files. Be patient and persistent, and we will see you through.
You will need the latest version of HijackThis. Download the newest version at http://www.greyknight17.com/spy/HijackThis.exe Download and install CleanUp http://cleanup.stevengould.org/ Download KillBox http://www.atribune.org/downloads/KillBox.exe Download Rkfiles.zip http://skads.org/special/rkfiles.zip UNZIP the contents to a permanent folder on your desktop. Download the following attachment remv3.zip http://forums.skads.org/index.php?showtopic=80 Make a folder on the root drive C:\ and unzip the files into it. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. **Note** DO NOT DISABLE SYSTEM RESTORE YET!!! This is in case you make a mistake in deleting a file on either of the logs. You will address this at the end of the fix.!! Now run the Cleanup utility and reboot/logoff when prompted. REBOOT TO SAFE MODE… These tools MUST be run in safe mode!! Once in safe mode… Double click rkfiles.bat It will scan for awhile, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. Now Open the folder were you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt **Note** Each tool uses log.txt as it’s output file so make sure you save the entry’s from one tools log before running the other as it will overwrite the file if you don’t. Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you.  Microsoft MVP - Consumer Security 2009
|
|
|
|
|
04-10-2005, 10:55 AM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
Tetonbob..new log.txt files !!
Log file from rkfiles:
C:\unzipped\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\SYSTEM32\anaaa.dll: UPX! C:\WINDOWS\SYSTEM32\c34b8s.dll: UPX! C:\WINDOWS\SYSTEM32\nrnnnl.exe: UPX! C:\WINDOWS\SYSTEM32\SHAgentNew.dll: UPX! C:\WINDOWS\SYSTEM32\vqvvv.dat: UPX! C:\WINDOWS\SYSTEM32\winup2date.dll: UPX! C:\WINDOWS\SYSTEM32\wmconfig.cpl: UPX! C:\WINDOWS\SYSTEM32\Xcite.dll: UPX! C:\WINDOWS\SYSTEM32\imctl.dll: ipeC2 C:\WINDOWS\SYSTEM32\mdvfw32.dll: ipeC2 Files Found in all users startup Folder............ ------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdtt.exe: UPX! Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\icont.exe: UPX! C:\WINDOWS\ss3unstl.exe: UPX! C:\WINDOWS\T3SETUP.EXE: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye Log file from remv3.zip: Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C is Local Disk Volume Serial Number is FCFD-BFDA Directory of C:\WINDOWS\SYSTEM32 mscb.dll msi.dll Thank you so much for your help. What's next?? |
|
|
|
|
04-10-2005, 03:14 PM
|
#4 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,720
OS: 2000 Pro; XP Pro; XP Home
|
Do you use ProLog Express or penteledata as your cable internet provider?
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregistered DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message then just restart manually. C:\WINDOWS\SYSTEM32\anaaa.dll C:\WINDOWS\SYSTEM32\c34b8s.dll C:\WINDOWS\SYSTEM32\nrnnnl.exe C:\WINDOWS\SYSTEM32\SHAgentNew.dll C:\WINDOWS\SYSTEM32\vqvvv.dat C:\WINDOWS\SYSTEM32\winup2date.dll C:\WINDOWS\SYSTEM32\wmconfig.cpl C:\WINDOWS\SYSTEM32\Xcite.dll C:\WINDOWS\SYSTEM32\imctl.dll C:\WINDOWS\SYSTEM32\mdvfw32.dll C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdtt.exe C:\WINDOWS\icont.exe C:\WINDOWS\ss3unstl.exe C:\WINDOWS\SYSTEM32\mscb.dll C:\WINDOWS\system32\ntvdm.exe Now reboot again into safe mode. I need another set of logs from those 2 tools I had you run...remv3.zip and Rkfiles.zip Next, reboot into normal mode and run HijackThis again. Post the new log here. So, then, 3 new logs....remv3 and Rkfiles from safe mode, and HJT from normal mode. Note that this may take a couple of rounds to get all the bad guys.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
04-10-2005, 09:39 PM
|
#5 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
New Hijackthis and log files
Hijack This log:
Logfile of HijackThis v1.98.2 Scan saved at 11:33:18 PM, on 4/10/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\stisvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE C:\WINDOWS\system32\nrnnnl.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\system32\ntvdm.exe C:\AllanB\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://192.168.100.1/phone.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600" O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\nrnnnl.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [nvrseng] C:\WINDOWS\system32\nvrseng.exe O4 - HKCU\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /A "C:\WINDOWS\system32\E_S9.tmp" O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01117B00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/083a26c72b6ae13...tzip/RdxIE.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O18 - Protocol: offline-8876480 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll rkfiles log: C:\unzipped\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\SYSTEM32\anaaa.dll: UPX! C:\WINDOWS\SYSTEM32\c34b8s.dll: UPX! C:\WINDOWS\SYSTEM32\nrnnnl.exe: UPX! C:\WINDOWS\SYSTEM32\SHAgentNew.dll: UPX! C:\WINDOWS\SYSTEM32\vqvvv.dat: UPX! C:\WINDOWS\SYSTEM32\winup2date.dll: UPX! C:\WINDOWS\SYSTEM32\wmconfig.cpl: UPX! C:\WINDOWS\SYSTEM32\Xcite.dll: UPX! C:\WINDOWS\SYSTEM32\imctl.dll: ipeC2 C:\WINDOWS\SYSTEM32\mdvfw32.dll: ipeC2 Files Found in all users startup Folder............ ------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdtt.exe: UPX! Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\icont.exe: UPX! C:\WINDOWS\ss3unstl.exe: UPX! C:\WINDOWS\T3SETUP.EXE: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye remv3 log: Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C is Local Disk Volume Serial Number is FCFD-BFDA Directory of C:\WINDOWS\SYSTEM32 mscb.dll msi.dll |
|
|
|
|
04-11-2005, 07:34 AM
|
#6 (permalink) |
|
Manager, Security Center, TSF Academy; Analyst, Security Team
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,720
OS: 2000 Pro; XP Pro; XP Home
|
Hi Frank -
I'm currently reviewing your reply with one of our moderators. In the meantime, please answer the question about your ISP: Do you use ProLog Express or penteledata as your cable internet provider? Also, please get the latest version of HijackThis, as instructed in my first post. It allows us to see different things, and address them accordingly. I'll be back ASAP with your next instructions. If any other Analyst replies, please follow the instructions they give.
__________________
Practice Safe Surfing Because what you don't know, CAN hurt you. Microsoft MVP - Consumer Security 2009
|
|
|
|
|
04-11-2005, 07:42 AM
|
#7 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
Tetonbob Question
I have not used Prolog or Penteledata since moving in August of 2004. I did use my old version of Hijack This by accident. Here is the current report from the new version:
Logfile of HijackThis v1.99.1 Scan saved at 9:44:52 AM, on 4/11/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\stisvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE C:\WINDOWS\system32\nrnnnl.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\system32\ntvdm.exe C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Outlook Express\msimn.exe C:\PC Tools3\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://192.168.100.1/phone.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600" O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\nrnnnl.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [Microsoft Works Update Detection] \WkDetect.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [nvrseng] C:\WINDOWS\system32\nvrseng.exe O4 - HKCU\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /A "C:\WINDOWS\system32\E_S9.tmp" O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01117B00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/083a26c72b6ae13...tzip/RdxIE.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O18 - Protocol: offline-8876480 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe |
|
|
|
|
04-11-2005, 01:33 PM
|
#8 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
  |
Ok jarrettfan...lets give this another try. Make sure you don't miss any of the files I'm asking you delete. If you do...this fix fails and the hijacker stays in place.
Make sure system restore is STILL enabled... Reboot into safe mode. Open task manager and KILL this process if it's running.. C:\WINDOWS\system32\nrnnnl.exe Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot", "Unload Explorer shell" and checkmark the box "Unregistered DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message then just restart manually. C:\WINDOWS\SYSTEM32\anaaa.dll C:\WINDOWS\SYSTEM32\c34b8s.dll C:\WINDOWS\SYSTEM32\nrnnnl.exe C:\WINDOWS\SYSTEM32\SHAgentNew.dll C:\WINDOWS\SYSTEM32\vqvvv.dat C:\WINDOWS\SYSTEM32\winup2date.dll C:\WINDOWS\SYSTEM32\wmconfig.cpl C:\WINDOWS\SYSTEM32\Xcite.dll C:\WINDOWS\SYSTEM32\imctl.dll C:\WINDOWS\SYSTEM32\mdvfw32.dll C:\WINDOWS\icont.exe C:\WINDOWS\ss3unstl.exe C:\WINDOWS\T3SETUP.EXE C:\WINDOWS\vsapi32.dll C:\WINDOWS\SYSTEM32\mscb.dll C:\WINDOWS\system32\nvrseng.exe C:\WINDOWS\system32\nrnnnl.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdtt.exe Once back to normal windows run the cleanup utility again. Then run both those tools (In safe mode) and give me a new set of logs from both remv3.zip and rkfiles and the following tool below..... Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file *Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here along with a new hijackthis log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
  Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
04-11-2005, 10:57 PM
|
#9 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
New Log Files
New RK Log:
C:\unzipped\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\SYSTEM32\anaaa.dll: UPX! C:\WINDOWS\SYSTEM32\c34b8s.dll: UPX! C:\WINDOWS\SYSTEM32\nrnnnl.exe: UPX! C:\WINDOWS\SYSTEM32\OWOOSPITCR.NBJ: UPX! Files Found in all users startup Folder............ ------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdtt.exe: UPX! Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\T3SETUP.EXE: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye New rmv3 log: Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C is Local Disk Volume Serial Number is FCFD-BFDA Directory of C:\WINDOWS\SYSTEM32 msi.dll New Mwav log: File C:\WINDOWS\system32\IAROP.DLL infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\Upderwater.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\ocoooqq.exe infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\nrnnnl.exe infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdtt.exe infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "dvx Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\autoheal.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken. File C:\WINDOWS\NDNuninstall4_88.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\NDNuninstall4_94.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\NDNuninstall5_20.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken. File C:\WINDOWS\sixtypopsix.exe infected by "Trojan.Win32.LowZones.am" Virus. Action Taken: No Action Taken. File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\WINDOWS\system32\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\aklsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\anaaa.dll infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\bi8.exe infected by "not-a-virus:AdWare.BiSpy.a" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\bS_L.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\c34b8s.dll infected by "Trojan-Dropper.Win32.Small.eq" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\dkeml.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\Eda76.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\fp0s03d7e.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\gpgggbb.dll infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\iampagnt.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\iiakeng.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\l82s0if7e82.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\Lcl7.exe infected by "Backdoor.Win32.VB.nb" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\mamdd.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\mxjter35.dll infected by "not-a-virus:AdWare.Look2Me.ab" Virus. Action Taken: No Action Taken. New Hijack This Log: Logfile of HijackThis v1.99.1 Scan saved at 12:33:47 AM, on 4/12/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\stisvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\WINDOWS\system32\nrnnnl.exe C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\system32\ntvdm.exe C:\PC Tools3\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://192.168.100.1/phone.html I am running Windows 2000. Don't think I have "system restore" to turn on and off. Thank You, Frank |
|
|
|
|
04-12-2005, 01:03 AM
|
#10 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Ok Frank... Is that the whole hijackthis log??
You have more then one hijacker running in the PC so things got a bit more complicated. We are going to do 2 steps this time.. Download L2mfix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Save and Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Once you saved that log....move to step 2. =============================================== STEP 2 Reboot into safe mode...... Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot", "Unload Explorer shell" and checkmark the box "Unregistered DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\SYSTEM32\anaaa.dll C:\WINDOWS\SYSTEM32\c34b8s.dll C:\WINDOWS\SYSTEM32\nrnnnl.exe C:\WINDOWS\SYSTEM32\OWOOSPITCR.NBJ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\tdtt.exe C:\WINDOWS\NDNuninstall4_88.exe C:\WINDOWS\NDNuninstall4_94.exe C:\WINDOWS\NDNuninstall5_20.exe C:\WINDOWS\sixtypopsix.exe C:\WINDOWS\system32\Eda76.exe C:\WINDOWS\system32\ocoooqq.exe C:\WINDOWS\system32\IAROP.DLL C:\WINDOWS\autoheal.exe C:\WINDOWS\system32\akcore.dll C:\WINDOWS\system32\aklsp.dll C:\WINDOWS\system32\akrules.dll C:\WINDOWS\system32\akupd.dll C:\WINDOWS\system32\bi8.exe C:\WINDOWS\system32\bS_L.dll C:\WINDOWS\system32\c34b8s.dll C:\WINDOWS\system32\dkeml.dll C:\WINDOWS\system32\gpgggbb.dll C:\WINDOWS\system32\Lcl7.exe Once back to normal mode run the cleanup utility. The reboot into safe mode and run those 2 tools again and save the logs. Then run Mwav again and save it's log. Then post the following logs.. remv3.zip log rkfiles log Mwav log L2mfix log
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
04-12-2005, 07:14 AM
|
#11 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
12mfix log and HJT log
12mfix log:
L2Mfix 1.03 Running From: C:\Documents and Settings\Biff\Desktop\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C(CI) access for predefined group "Administrators" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- BUILTIN\Administrators (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\Biff\Desktop\l2mfix System Rebooted! Running From: C:\Documents and Settings\Biff\Desktop\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1348 'explorer.exe' Killing PID 1348 'explorer.exe' Error 0x6 : The handle is invalid. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\dkeml.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\fp0s03d7e.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\iampagnt.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\IAROP.DLL 1 file(s) copied. Backing Up: C:\WINDOWS\system32\iiakeng.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\l82s0if7e82.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mamdd.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\mxjter35.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\p8r40i9qe8.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\pprfnw.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\rbcss.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\rkm.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\rqaenh.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\szimgvw.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\Upderwater.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\vdt3216.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\vnregexp.dll 1 file(s) copied. deleting: C:\WINDOWS\system32\dkeml.dll Successfully Deleted: C:\WINDOWS\system32\dkeml.dll deleting: C:\WINDOWS\system32\fp0s03d7e.dll Successfully Deleted: C:\WINDOWS\system32\fp0s03d7e.dll deleting: C:\WINDOWS\system32\iampagnt.dll Successfully Deleted: C:\WINDOWS\system32\iampagnt.dll deleting: C:\WINDOWS\system32\IAROP.DLL Successfully Deleted: C:\WINDOWS\system32\IAROP.DLL deleting: C:\WINDOWS\system32\iiakeng.dll Successfully Deleted: C:\WINDOWS\system32\iiakeng.dll deleting: C:\WINDOWS\system32\l82s0if7e82.dll Successfully Deleted: C:\WINDOWS\system32\l82s0if7e82.dll deleting: C:\WINDOWS\system32\mamdd.dll Successfully Deleted: C:\WINDOWS\system32\mamdd.dll deleting: C:\WINDOWS\system32\mxjter35.dll Successfully Deleted: C:\WINDOWS\system32\mxjter35.dll deleting: C:\WINDOWS\system32\p8r40i9qe8.dll Successfully Deleted: C:\WINDOWS\system32\p8r40i9qe8.dll deleting: C:\WINDOWS\system32\pprfnw.dll Successfully Deleted: C:\WINDOWS\system32\pprfnw.dll deleting: C:\WINDOWS\system32\rbcss.dll Successfully Deleted: C:\WINDOWS\system32\rbcss.dll deleting: C:\WINDOWS\system32\rkm.dll Successfully Deleted: C:\WINDOWS\system32\rkm.dll deleting: C:\WINDOWS\system32\rqaenh.dll Successfully Deleted: C:\WINDOWS\system32\rqaenh.dll deleting: C:\WINDOWS\system32\szimgvw.dll Successfully Deleted: C:\WINDOWS\system32\szimgvw.dll deleting: C:\WINDOWS\system32\Upderwater.dll Successfully Deleted: C:\WINDOWS\system32\Upderwater.dll deleting: C:\WINDOWS\system32\vdt3216.dll Successfully Deleted: C:\WINDOWS\system32\vdt3216.dll deleting: C:\WINDOWS\system32\vnregexp.dll Successfully Deleted: C:\WINDOWS\system32\vnregexp.dll Zipping up files for submission: adding: dkeml.dll (152 bytes security) (deflated 4%) adding: fp0s03d7e.dll (152 bytes security) (deflated 5%) adding: iampagnt.dll (152 bytes security) (deflated 4%) adding: IAROP.DLL (152 bytes security) (deflated 4%) adding: iiakeng.dll (152 bytes security) (deflated 4%) adding: l82s0if7e82.dll (152 bytes security) (deflated 5%) adding: mamdd.dll (152 bytes security) (deflated 4%) adding: mxjter35.dll (152 bytes security) (deflated 4%) adding: p8r40i9qe8.dll (152 bytes security) (deflated 4%) adding: pprfnw.dll (152 bytes security) (deflated 5%) adding: rbcss.dll (152 bytes security) (deflated 5%) adding: rkm.dll (152 bytes security) (deflated 4%) adding: rqaenh.dll (152 bytes security) (deflated 4%) adding: szimgvw.dll (152 bytes security) (deflated 5%) adding: Upderwater.dll (152 bytes security) (deflated 5%) adding: vdt3216.dll (152 bytes security) (deflated 4%) adding: vnregexp.dll (152 bytes security) (deflated 4%) adding: clear.reg (152 bytes security) (deflated 37%) adding: echo.reg (152 bytes security) (deflated 8%) adding: direct.txt (152 bytes security) (stored 0%) adding: lo2.txt (152 bytes security) (deflated 81%) adding: readme.txt (152 bytes security) (deflated 49%) adding: test.txt (152 bytes security) (deflated 77%) adding: test2.txt (152 bytes security) (deflated 17%) adding: test3.txt (152 bytes security) (deflated 17%) adding: test5.txt (152 bytes security) (deflated 17%) adding: xfind.txt (152 bytes security) (deflated 70%) adding: backregs/89823621-97B4-4975-A95B-01F7F87E755A.reg (152 bytes security) (deflated 70%) adding: backregs/DBEFDD73-6684-443A-9317-83E88475E15A.reg (152 bytes security) (deflated 70%) adding: backregs/shell.reg (152 bytes security) (deflated 74%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: dkeml.dll deleting local copy: fp0s03d7e.dll deleting local copy: iampagnt.dll deleting local copy: IAROP.DLL deleting local copy: iiakeng.dll deleting local copy: l82s0if7e82.dll deleting local copy: mamdd.dll deleting local copy: mxjter35.dll deleting local copy: p8r40i9qe8.dll deleting local copy: pprfnw.dll deleting local copy: rbcss.dll deleting local copy: rkm.dll deleting local copy: rqaenh.dll deleting local copy: szimgvw.dll deleting local copy: Upderwater.dll deleting local copy: vdt3216.dll deleting local copy: vnregexp.dll The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] "Asynchronous"=dword:00000000 "DllName"="" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" The following are the files found: **************************************************************************** C:\WINDOWS\system32\dkeml.dll C:\WINDOWS\system32\fp0s03d7e.dll C:\WINDOWS\system32\iampagnt.dll C:\WINDOWS\system32\IAROP.DLL C:\WINDOWS\system32\iiakeng.dll C:\WINDOWS\system32\l82s0if7e82.dll C:\WINDOWS\system32\mamdd.dll C:\WINDOWS\system32\mxjter35.dll C:\WINDOWS\system32\p8r40i9qe8.dll C:\WINDOWS\system32\pprfnw.dll C:\WINDOWS\system32\rbcss.dll C:\WINDOWS\system32\rkm.dll C:\WINDOWS\system32\rqaenh.dll C:\WINDOWS\system32\szimgvw.dll C:\WINDOWS\system32\Upderwater.dll C:\WINDOWS\system32\vdt3216.dll C:\WINDOWS\system32\vnregexp.dll Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{89823621-97B4-4975-A95B-01F7F87E755A}"=- "{DBEFDD73-6684-443A-9317-83E88475E15A}"=- [-HKEY_CLASSES_ROOT\CLSID\{89823621-97B4-4975-A95B-01F7F87E755A}] [-HKEY_CLASSES_ROOT\CLSID\{DBEFDD73-6684-443A-9317-83E88475E15A}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** Hijack This Log: Logfile of HijackThis v1.99.1 Scan saved at 9:11:15 AM, on 4/12/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\stisvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\WINDOWS\system32\nrnnnl.exe C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\explorer.exe C:\PC Tools3\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://192.168.100.1/phone.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600" O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\nrnnnl.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01117B00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/083a26c72b6ae13...tzip/RdxIE.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O18 - Protocol: offline-8876480 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe |
|
|
|
|
04-12-2005, 08:44 AM
|
#12 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
Latest information
I have followed all the latest instructions given. Here are the log files from:
rkfiles, remv3, mwav, L2mfix, and HijackThis: rkfiles log: C:\unzipped\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\SYSTEM32\vqvvv.dat: UPX! Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\T3SETUP.EXE: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye remv3 log: Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C is Local Disk Volume Serial Number is FCFD-BFDA Directory of C:\WINDOWS\SYSTEM32 msi.dll mwav log: File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "dvx Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\WINDOWS\system32\OkrN0Z44.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\pgpppz.dll infected by "Trojan-Downloader.Win32.Qoologic.d" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\sahagent1013.exe infected by "not-a-virus:AdWare.Sahat.a" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\setup_incred_6.exe infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\vqvvv.dat infected by "Trojan-Downloader.Win32.Qoologic.i" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\w3th3rb.dll infected by "not-a-virus:AdWare.F1Organizer.a" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken. L2mfix log: L2Mfix 1.03 Running From: C:\Documents and Settings\Biff\Desktop\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C(CI) access for predefined group "Administrators" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- BUILTIN\Administrators (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\Biff\Desktop\l2mfix System Rebooted! Running From: C:\Documents and Settings\Biff\Desktop\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1376 'explorer.exe' Killing PID 1376 'explorer.exe' Error 0x6 : The handle is invalid. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Zipping up files for submission: updating: clear.reg (152 bytes security) (deflated 2%) updating: echo.reg (152 bytes security) (deflated 8%) updating: direct.txt (152 bytes security) (stored 0%) updating: lo2.txt (152 bytes security) (deflated 71%) updating: readme.txt (152 bytes security) (deflated 49%) updating: test.txt (152 bytes security) (stored 0%) updating: test2.txt (152 bytes security) (stored 0%) updating: test3.txt (152 bytes security) (stored 0%) updating: test5.txt (152 bytes security) (stored 0%) adding: log.txt (152 bytes security) (deflated 81%) updating: backregs/89823621-97B4-4975-A95B-01F7F87E755A.reg (152 bytes security) (deflated 70%) updating: backregs/DBEFDD73-6684-443A-9317-83E88475E15A.reg (152 bytes security) (deflated 70%) updating: backregs/shell.reg (152 bytes security) (deflated 74%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful The following Is the Current Export of the Winlogon notify key: **************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] "Asynchronous"=dword:00000000 "DllName"="" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" The following are the files found: **************************************************************************** Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. **************************************************************************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] **************************************************************************** Desktop.ini Contents: **************************************************************************** **************************************************************************** HijackThis Log: Logfile of HijackThis v1.99.1 Scan saved at 10:35:48 AM, on 4/12/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\NavNT\defwatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\NavNT\rtvscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\MSTask.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\stisvc.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\WBEM\WinMgmt.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsgSys.EXE C:\WINDOWS\system32\devldr32.exe C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\system32\ntvdm.exe C:\WINDOWS\explorer.exe C:\PC Tools3\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://192.168.100.1/phone.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600" O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe" O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01117B00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409 O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/083a26c72b6ae13...tzip/RdxIE.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.dll O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O18 - Protocol: offline-8876480 - {70CDC01C-C97A-4FD4-887A-373C2A256BE0} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe Once again, thank you for all your help. Anything else I need to do? Frank |
|
|
|
|
04-12-2005, 12:57 PM
|
#13 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Oooooooooooooo..we are real close Frank. Few more....
Reboot into safe mode. Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot", "Unload Explorer shell" and checkmark the box "Unregistered DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\SYSTEM32\vqvvv.dat C:\WINDOWS\system32\OkrN0Z44.exe C:\WINDOWS\system32\pgpppz.dll C:\WINDOWS\system32\sahagent1013.exe C:\WINDOWS\system32\setup_incred_6.exe C:\WINDOWS\system32\w3th3rb.dll C:\WINDOWS\system32\Xcite2.exe Once back to normal windows run the cleanup utility. Then give me a set of logs for the following... Mwav Rkfiles
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
04-12-2005, 05:00 PM
|
#14 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
New Mwav and Rkfiles logs
Mwav log:
File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "dvx Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "ezula Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "AltnetBDE Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. Rkfiles log: C:\unzipped\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\T3SETUP.EXE: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye That's it. What's next? Thanks, Frank |
|
|
|
|
04-12-2005, 07:20 PM
|
#15 (permalink) | |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Quote:
 Your logs are clean. Any more issues? If not you should be good to go. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!Make sure you use those programs from the link above. Prevention is the answer!!!
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
|
04-13-2005, 08:29 AM
|
#16 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 19
OS: Win2000
|
Thank You and other issues.
First of all, thank you very much for your help. Secondly, the only issue I have left is something called ActualNames which the program PestPatrol detects but is unable to get rid of. Any suggestions? Lastly, I think it is important to note that in your directions for running Killbox you fail to mention that the first window that pops up (after pasting an entry) is a confirmation window as to whether or not you want to delete the item, THEN a second window opens up asking whether or not to reboot. I didn't realize this until yesterday morning so I was pasting all entries but not deleting them because I kept answering no in the first window, then moving on to the next entry. My apologies for not realizing that in the beginning, but thought it might be helpful to clarify this in your directions (for dummies like me!).
Thanks again, Frank |
|
|
|
|
04-13-2005, 01:25 PM
|
#17 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,963
OS: Windows 7
|
Thanks Frank... The KILLBOX version is new..so it acts differently from the older version. I'll adjust my speech for it. Second..on the ActualNames entry..Pestpatrol is likely picking up it's registry entry. So if your sure it's removed from the PC...remove it's registry entrys.
Check your add/remove programs for a program named AdvSearch and remove it if found. Have a look here...for your registry keys involved... http://securityresponse.symantec.com...tualnames.html
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
| Thread Tools | |
|
|
