WinFixer returns

hplus10 · 08-17-2005, 04:13 AM

Winfixer 2005 tries to download whenever internet is connected. I have run Ewido (log below), CWShredder (it seemed to have problems on the restart with a window declaring it had problems), SpyBot, and AdAware. All found stuff and supposedly deleted them. I then ran Hyjackthis (log is below). Would appreciate help in reading the log and further actions. Thank you in advance.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:13:20 AM, 8/17/2005
+ Report-Checksum: 3E5FF344

+ Scan result:

[220] C:\WINDOWS\system32\mvhgrcoi.dll -> Spyware.Look2Me : Error during cleaning
[652] C:\WINDOWS\system32\dItime.dll -> Spyware.Look2Me : Error during cleaning
[728] C:\WINDOWS\system32\dItime.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y507EXGN\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\RECYCLER\NPROTECT\00044247.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00044277.EXE -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173784.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173785.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173786.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173787.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173788.ocx -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173789.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173796.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173797.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173798.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173799.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173802.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173803.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173804.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173805.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173806.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173816.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173820.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173823.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173824.dll -> Spyware.WurldMedia : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173825.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173826.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173827.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173828.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173829.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173830.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173831.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173832.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173842.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\cMtsrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dlgeng.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\JPIUtil4.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kldhe220.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kzdcz2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 5:53:33 AM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTW...S/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build1539/install.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.trainingclips.com/stream/TSCCinst.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/Cl...gIn/tsTemp.cab
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\mvhgrcoi.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

tetonbob · 08-17-2005, 09:30 AM

Please read these instructions carefully, and do the procedures in the order outlined.

Download L2MFix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Also, please do the following:

Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Last, run a new scan with HJT, and post that log here as well.

So I need the following logs:

L2MFix fix log
TrendMicro Antispyware.log
Panda ActiveScan log
HJT log

hplus10 · 08-17-2005, 12:07 PM

did the l2mfix procedure. Did the Trend Micro scan and got a clean scan the 2nd time. Hooked up the internet to download the Panda live scan and immediately got hit with the winfixer again as well as 3-4 more adwares. Lavasoft, adDestroyer,Virtual Bouncer and then I unplugged the internet....!

I have the logs if you want them. I did not end up scanning with Panda, internet was jammed with incoming..did not do Hijackthis either. Very frustrated. Thanks for helping.

hplus10 · 08-17-2005, 03:55 PM

Where do I go from here? Most appreciative of your help...

tetonbob · 08-17-2005, 04:30 PM

Where you go from here is to please provide the logs asked for, so that we may examine the results and give further instructions.

hplus10 · 08-17-2005, 04:57 PM

In my reply I said "thanks for helping". In looking at how it was written, I believe it may have come across wrong. I genuinely meant Thank You...I apologize if it came across as being sarcastic. It was NOT meant to be that. I'm frustrated and am very thankful for this forum's and your help. I did not include the logs because I thought after it got reinfected, they would be meaningless. Here are they are. Hope they can be still of use. The Panda scan never completed because of the deluge of incoming adware programs, so it is unavailable.

L2Mfix 1.03c

Running From:
C:\Documents and Settings\Owner\Desktop\Laptop fix\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Owner\Desktop\Laptop fix\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\Laptop fix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1768 'explorer.exe'
Killing PID 1768 'explorer.exe'
Killing PID 1768 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1236 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dItime.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dItime.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ijrop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ijrop.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MTC71ITA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\MTC71ITA.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\slripto.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\slripto.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dItime.dll
Successfully Deleted: C:\WINDOWS\system32\dItime.dll
deleting: C:\WINDOWS\system32\dItime.dll
Successfully Deleted: C:\WINDOWS\system32\dItime.dll
deleting: C:\WINDOWS\system32\ijrop.dll
Successfully Deleted: C:\WINDOWS\system32\ijrop.dll
deleting: C:\WINDOWS\system32\ijrop.dll
Successfully Deleted: C:\WINDOWS\system32\ijrop.dll
deleting: C:\WINDOWS\system32\MTC71ITA.DLL
Successfully Deleted: C:\WINDOWS\system32\MTC71ITA.DLL
deleting: C:\WINDOWS\system32\MTC71ITA.DLL
Successfully Deleted: C:\WINDOWS\system32\MTC71ITA.DLL
deleting: C:\WINDOWS\system32\slripto.dll
Successfully Deleted: C:\WINDOWS\system32\slripto.dll
deleting: C:\WINDOWS\system32\slripto.dll
Successfully Deleted: C:\WINDOWS\system32\slripto.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: dItime.dll (164 bytes security) (deflated 48%)
adding: ijrop.dll (164 bytes security) (deflated 48%)
adding: MTC71ITA.DLL (164 bytes security) (deflated 48%)
adding: slripto.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 12%)
adding: direct.txt (164 bytes security) (deflated 2%)
adding: lo2.txt (164 bytes security) (deflated 80%)
adding: readme.txt (164 bytes security) (deflated 50%)
adding: test.txt (164 bytes security) (deflated 79%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 75%)
adding: backregs/F77B9E0C-A431-455C-89EA-F35C75E4DB3B.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Warning (option /rga:(ci)) - There is no ACE to remove!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:

deleting local copy: dItime.dll
deleting local copy: dItime.dll
deleting local copy: ijrop.dll
deleting local copy: ijrop.dll
deleting local copy: MTC71ITA.DLL
deleting local copy: MTC71ITA.DLL
deleting local copy: slripto.dll
deleting local copy: slripto.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mvhgrcoi.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dItime.dll
C:\WINDOWS\system32\dItime.dll
C:\WINDOWS\system32\ijrop.dll
C:\WINDOWS\system32\ijrop.dll
C:\WINDOWS\system32\MTC71ITA.DLL
C:\WINDOWS\system32\MTC71ITA.DLL
C:\WINDOWS\system32\slripto.dll
C:\WINDOWS\system32\slripto.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F77B9E0C-A431-455C-89EA-F35C75E4DB3B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F77B9E0C-A431-455C-89EA-F35C75E4DB3B}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\Morpheus'
Found '' in 'SOFTWARE\Classes\.xmfg'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\Control'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\MiscStatus'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\MiscStatus\1'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\ToolboxBitmap32'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{B666CF5A-B50A-49E4-8354-37AC595C5B7E}'
Found '' in 'SOFTWARE\Classes\CLSID\{B666CF5A-B50A-49E4-8354-37AC595C5B7E}\InprocServer32'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\XMIRAGE.XMirageCtrl.1'
Found '' in 'SOFTWARE\Classes\XMIRAGE.XMirageCtrl.1\CLSID'
Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}'
Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\InProcServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\ProgID'
Found '' in 'SOFTWARE\Classes\GnucDNA.Core'
Found '' in 'SOFTWARE\Classes\GnucDNA.Core\CLSID'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\TypeLib'
Found '' in 'SOFTWARE\Classes\morpheus'
Found '' in 'SOFTWARE\Classes\morpheus\DefaultIcon'
Found '' in 'SOFTWARE\Classes\morpheus\shell\open\command'
Found '' in 'SOFTWARE\Morpheus\Matrix'
Found '' in 'SOFTWARE\Morpheus\MediaManager'
Found '' in 'SOFTWARE\ClickSpring'
Internet URL Shortcuts
Files and Directories
Found 's4Setp.exe' in 'C:\Documents and Settings\Owner\Local Settings\Temp'
Found 'Folder.ico' in 'C:\Program Files\StreamCast\Morpheus'
Found 'Morpheus.exe' in 'C:\Program Files\StreamCast\Morpheus'
Found 'muninstall.exe' in 'C:\Program Files\StreamCast\Morpheus'
Found '' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'application.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'application.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'document.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'document.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'image.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'image.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'rom.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'rom.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'video.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas'
Found 'CWRKArea.wrk' in 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp'
Found 'DWRKArea.wrk' in 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp'
Found 'MCATArea.wrk' in 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp'
Found 'CWRKArea.wrk' in 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp'
Found 'DWRKArea.wrk' in 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp'
Found 'MCATArea.wrk' in 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp'
Found 'CWRKArea.wrk' in 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp'
Found 'DWRKArea.wrk' in 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp'
Found 'MCATArea.wrk' in 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp'
Found 'screengenie.scr' in 'C:\WINDOWS'
Found 'Decln.dll' in 'C:\WINDOWS\system32'
Found 'Declw.dll' in 'C:\WINDOWS\system32'
Found 'mfimage.dll' in 'C:\WINDOWS\system32'
Found 'npmirage.dll' in 'C:\WINDOWS\system32'
Found 'xmforgert.exe' in 'C:\WINDOWS\system32'
Found 'XMirage.ocx' in 'C:\WINDOWS\system32'
Found 'GLF12.tmp' in 'C:\WINDOWS\Temp'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Owner\Local Settings\Temp\s4Setp.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Owner\Local Settings\Temp\s4Setp.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Owner\Local Settings\Temp\s4Setp.exe'
Checking for 'C:\Program Files\StreamCast\Morpheus\Folder.ico' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Folder.ico' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Folder.ico'
Checking for 'C:\Program Files\StreamCast\Morpheus\Morpheus.exe' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Morpheus.exe' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Morpheus.exe'
Checking for 'C:\Program Files\StreamCast\Morpheus\muninstall.exe' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\muninstall.exe' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\muninstall.exe'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xml'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xsd'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xsd'
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in shortcut areas.
Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in startup areas.
Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml'
[SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\CWRKArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\CWRKArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\CWRKArea.wrk'
Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\DWRKArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\DWRKArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\DWRKArea.wrk'
Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\MCATArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\MCATArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\MCATArea.wrk'
Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\CWRKArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\CWRKArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\CWRKArea.wrk'
Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\DWRKArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\DWRKArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\DWRKArea.wrk'
Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\MCATArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\MCATArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\MCATArea.wrk'
Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\CWRKArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\CWRKArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\CWRKArea.wrk'
Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\DWRKArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\DWRKArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\DWRKArea.wrk'
Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\MCATArea.wrk' in shortcut areas.
Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\MCATArea.wrk' in startup areas.
Cleaning 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\MCATArea.wrk'
Checking for 'C:\WINDOWS\screengenie.scr' in shortcut areas.
Checking for 'C:\WINDOWS\screengenie.scr' in startup areas.
Cleaning 'C:\WINDOWS\screengenie.scr'
Checking for 'C:\WINDOWS\system32\Decln.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\Decln.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\Decln.dll'
Checking for 'C:\WINDOWS\system32\Declw.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\Declw.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\Declw.dll'
Checking for 'C:\WINDOWS\system32\mfimage.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\mfimage.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\mfimage.dll'
Checking for 'C:\WINDOWS\system32\npmirage.dll' in shortcut areas.
Checking for 'C:\WINDOWS\system32\npmirage.dll' in startup areas.
Cleaning 'C:\WINDOWS\system32\npmirage.dll'
Checking for 'C:\WINDOWS\system32\xmforgert.exe' in shortcut areas.
Checking for 'C:\WINDOWS\system32\xmforgert.exe' in startup areas.
Cleaning 'C:\WINDOWS\system32\xmforgert.exe'
Checking for 'C:\WINDOWS\system32\XMirage.ocx' in shortcut areas.
Checking for 'C:\WINDOWS\system32\XMirage.ocx' in startup areas.
Cleaning 'C:\WINDOWS\system32\XMirage.ocx'
Checking for 'C:\WINDOWS\Temp\GLF12.tmp' in shortcut areas.
Checking for 'C:\WINDOWS\Temp\GLF12.tmp' in startup areas.
Cleaning 'C:\WINDOWS\Temp\GLF12.tmp'
Finished Cleaning

The 2nd time through, their was no log, but the window had said it was clean with nothing found.

Hope this can be still of help. Thanks.

tetonbob · 08-17-2005, 05:58 PM

Hi hplus10 -

No bad intent or sarcasm was felt here....I was just letting you know what we need to help you...I apologize back to you if I came across as anything but trying to get the information needed to help you.

We still need a fresh HJT log, so that we may see what is left in your system. IF possible, do any further communication and downloads required from another system, so that the infected one can remain disconnected untill we get you clean and more secure.

Also, please do the following:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Cheers,

TB

hplus10 · 08-17-2005, 06:40 PM

TetonBob...ran HJT here's the log

Logfile of HijackThis v1.99.1
Scan saved at 8:15:02 PM, on 8/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\WINDOWS\system32\wintask.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\system32\??xplore.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTW...S/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build1539/install.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.trainingclips.com/stream/TSCCinst.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/Cl...gIn/tsTemp.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

then I downloaded and unzipped Start Dreck. Double clicking on startdreck.exe file opened up a window but immediately got a "not responding" in Task Manager. Tried it several times, redownloaded and unzipped again. Still the same.

hplus10 · 08-17-2005, 06:43 PM

did u still want me to run silent runners even though StartDreck crashed?

tetonbob · 08-17-2005, 07:12 PM

If possible, use another machine to perform the downloads and communication...as you said, you're getting very infected with malwares.....

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download the free trial version of Trojan Hunter and run it.

Copy these instructions to Notepad

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\system32\wintask.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\system32\??xplore.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

VBouncer or VirtualBouncer
AdDestroyer

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/c...trolLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFT...TS/IFTWCLIX.CAB
O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build1539/install.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.trainingclips.com/stream/TSCCinst.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/C...ugIn/tsTemp.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\wintask.exe
C:\PROGRA~1\VBouncer\
C:\Program Files\apsi\
C:\WINDOWS\system32\??xplore.exe<<<the first two characters of this file may be anything
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\Program Files\AdDestroyer\

Restart and run a new HijackThis scan. Save the log file and post it here.

If now possible, Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/active...n_principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/...id=ie&venid=sym

Not sure why StartDreck would crash, I'll have to look into that....if possible, go ahead and run SilentRunners, please also, and post the results here.

hplus10 · 08-17-2005, 07:27 PM

thanks teton. When you say an online scan. What exactly is that? Is that running the scan while "online", or running a scan after you download the scan file and then run it offline? That's where i got reinfected while trying to run Panda (that's why I ask)

I'll do all of the above and call it a night. Will post in the am but will await your answer before running the last 2 scans. Thanks. What time, if at all, are you here tomorrow?

tetonbob · 08-18-2005, 06:58 AM

See if you can run the SilentRunners script before performing any online scan, but after performing the rest of the fix posted, and post the results here.

An online scan downloads an ActiveX component and definitions with which to run a scan on your system. I believe Panda will allow you to then continue the scan offline, but you will have to re-connect to obtain the results.

I'm here at various times...but we are here 24/7/365....another Analyst will pick up the thread if I am delayed in replying.

hplus10 · 08-18-2005, 07:24 AM

Did the Trojan Hunter. Found, I think, 9 trojans including vbouncer and addestroyer. Did the Kill Process on HJT and deleted those files. I also did a search and found most of those files in a C:/WINDOWS/PREFETCH folder. Deleted them there as well. Ran a clean HJT and the log is below. I have not ran anti-virus programs because I wanted to wait for you to give me an "all clear" to get on the internet to do them. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 9:17:05 AM, on 8/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\wtta.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

tetonbob · 08-18-2005, 08:52 AM

Excellent work! That is looking much better....you can safely delete all files from the Prefetch folder....Windows and legit programs will put them back as needed.

I'd like you to run the SilentRunners script still, to see if there any any programs hidden from HJT, before you go back online.

Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Also, Run HJT and Open the Misc Tools section. Click on Generate Startup List and post the results here.

How is the condition of your system now?

hplus10 · 08-18-2005, 12:42 PM

I've been out of the house. Thanks for the reply. I will run Silent runners. I ran a complete scan using Norton AntiVirus 2005 thats on the laptop. It came up with 18 threats, all were part of Look2Me, AdDestroyer, PurityScan, Virtual Bouncer and Surfsidekick. 17 of them were able to be deleted and I will attempt to delete the last one (wtta.exe) when I boot up in Safe Mode. I will attempt to delete wtta.exe, then run SilentRunner and then run another scan with Norton and post back here. Would like to get it as clean as I can before hooking up for an online scan and risk starting over again. Thanks Tetonbob. Give me 2 hours and I'll post again.

hplus10 · 08-18-2005, 01:12 PM

Succesfully deleted wtta.exe file when I went to Safe mode. It was in the Prefetch folder. Ran Silent Runners, here's the log. Am running a new Norton scan now.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"AirCardEnabler" = "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" ["Sierra Wireless Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Advanced Tools Check" = "C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"Venturi Configurator" = "C:\Program Files\Venturi2\Configurator\ventcfg.exe" ["Venturi Wireless"]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."]
"QT4HPOT" = "C:\PROGRA~1\HPONE-~1\OneTouch.EXE" ["Dritek System Inc."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fact Book 2002\Office\soa800.dll" [MS]
"{4EC26602-4807-40FE-A40F-1A41E4D40C78}" = "Dell Digital Jukebox"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Dell\Dell File Manager\CTDFM.DLL" ["Creative Technology Ltd"]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe" [file not found]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 1" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /i /n:1" [MS]
"ISP signup reminder 3" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /i /n:3" [MS]
"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
vlsp.dll ["Venturi Wireless"] , 01 - 21, 27
%SystemRoot%\system32\mswsock.dll [MS], 22 - 24, 28 - 47
%SystemRoot%\system32\rsvpsp.dll [MS], 25 - 26

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
Venturi2 Client, Venturi2, "C:\Program Files\Venturi2\Client\ventc.exe" ["Venturi Wireless"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 155 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 43 seconds.
---------- (total run time: 248 seconds)

tetonbob · 08-18-2005, 01:52 PM

Make sure you can view hidden files still, as per the previous instructions.

Search for the following file, and delete it if found (you may not find it):

C:\WINDOWS\ru.exe

If it gives you difficulty, reboot into safe mode and search for and delete it from there.

Let us know if it was present on your system, and if you were able to remove it.

I would still like to see the Startup List generated by HJT.

If possible, run StartDreck now. If it doesn't run, don't worry about it, and move on.

Also, let us know what issues your NAV scan found, and the locations of any problematic files, if given.

I will wait for your reply with NAV results before posting further instructions. Please wait to post the NAV results until you have performed the instructions I've given here. Then post all results together.

So I need results from:

NAV scan, HJT Startup list, presence of ru.exe, StartDreck log if possible, condition of system.

hplus10 · 08-18-2005, 02:34 PM

Ran TrojanHunter got more trojans from QDB.100, AdDestroyer and VirtualBouncer. All of them were in System Volume Information/Restore folder. Log is down below. StartDreck crashed again..."Not Responding" in Task Manager with it's window open. Search was nil for ru.exe in Normal and Safe modes. Running NAV scan as I type. Will post when complete. Takes about 120 minutes. Also ran HJT Startup and log is down below.

StartupList report, 8/18/2005, 4:09:57 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Venturi2\Configurator\ventcfg.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\S3tray2.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Venturi2\Client\ventc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
dla = C:\WINDOWS\system32\dla\tfswctrl.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
AirCardEnabler = C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Venturi Configurator = C:\Program Files\Venturi2\Configurator\ventcfg.exe
LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
S3TRAY2 = S3tray2.exe
QT4HPOT = C:\PROGRA~1\HPONE-~1\OneTouch.EXE
THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 1.job
ISP signup reminder 3.job
Norton AntiVirus - Scan my computer - Owner.job
RUTASK.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,601 bytes
Report generated in 0.551 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
Port 8000/TCP is open (Matches XConsole.100. Port being used by process ventc.exe/PID 836) (Tell me more about port alerts...)
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175034.exe (Adware.VirtualBouncer.100)
Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175035.exe (Adware.QDB.100)
Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175036.EXE (Adware.VirtualBouncer.100)
Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175037.dll (Adware.SpywareLabs.AdDestroyer.102)
Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175038.dll (Adware.SpywareLabs.AdDestroyer.102)
Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175039.dll (Adware.SpywareLabs.AdDestroyer.102)
Found possible trojan file: C:\WINDOWS\system32\wtta.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
6 trojan files found
1 possible trojan files found

Thanks Tetonbob...later

tetonbob · 08-18-2005, 04:39 PM

No worries about the System Volume infections, as we will flush all your restore points and create a new, clean one once we are through. Not that I think you will, but I have to say this due to the location of those last finds:

DO NOT attempt a System Restore unless told to, please, as this may set us back.

HJT says that RUTASK is still on your system, and it is part of this infection. Let's try another way to root it out.

Reboot to safe mode.

Go to C:\windows\tasks and have a look.

Do you see this task ?

RUTASK.job

If you do, delete it. If not, do the following:

Most likely it is invisible and needs to be unhidden.

Click Start>run and type cmd to open a command prompt, paste in this command then press enter.

attrib -s -h -r C:\windows\tasks\*.job

Close the command prompt and open the windows\tasks folder.

Delete this task:
RUTASK.job

Search for and delete the following files in bold:

ru.exe (possibly C:\Windows or C:\Windows\system32)(it's possible it's not there)
C:\WINDOWS\system32\wtta.exe

Reboot into normal mode and post your results.

hplus10 · 08-18-2005, 05:19 PM

Hi tetonBob... ran NAV scan. Iit found only wtta.exe and it deleted it after the scan. I then received your post and I then did all you had asked. Found the rutask.job in the tasks folder after booting in Safe and running the cmd prompt as you said. It came unhidden had I deleted it. Then I did a search in safe mode for the 2 files and they were not in the C: drive.

What's next sir....

08-17-2005, 04:13 AM	#1 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	WinFixer returns Winfixer 2005 tries to download whenever internet is connected. I have run Ewido (log below), CWShredder (it seemed to have problems on the restart with a window declaring it had problems), SpyBot, and AdAware. All found stuff and supposedly deleted them. I then ran Hyjackthis (log is below). Would appreciate help in reading the log and further actions. Thank you in advance. --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 5:13:20 AM, 8/17/2005 + Report-Checksum: 3E5FF344 + Scan result: [220] C:\WINDOWS\system32\mvhgrcoi.dll -> Spyware.Look2Me : Error during cleaning [652] C:\WINDOWS\system32\dItime.dll -> Spyware.Look2Me : Error during cleaning [728] C:\WINDOWS\system32\dItime.dll -> Spyware.Look2Me : Error during cleaning C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y507EXGN\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup C:\RECYCLER\NPROTECT\00044247.dll -> Spyware.Look2Me : Cleaned with backup C:\RECYCLER\NPROTECT\00044277.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173784.dll -> Spyware.WinAD : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173785.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173786.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173787.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173788.ocx -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173789.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173796.dll -> Spyware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173797.exe -> Spyware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173798.exe -> Spyware.CashBack : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173799.exe -> Spyware.CashBack : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173802.exe -> Spyware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173803.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173804.exe -> Spyware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173805.exe -> Spyware.CashBack : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173806.exe -> Spyware.CashBack : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173816.exe -> Spyware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173820.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173823.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173824.dll -> Spyware.WurldMedia : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173825.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173826.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173827.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173828.dll -> Spyware.WildTangent : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173829.dll -> Spyware.WildTangent : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173830.dll -> Spyware.WildTangent : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173831.dll -> Spyware.WildTangent : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173832.dll -> Spyware.WildTangent : Cleaned with backup C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP509\A0173842.dll -> Spyware.Look2Me : Cleaned with backup C:\WINDOWS\system32\cMtsrv.dll -> Spyware.Look2Me : Cleaned with backup C:\WINDOWS\system32\dlgeng.dll -> Spyware.Look2Me : Cleaned with backup C:\WINDOWS\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup C:\WINDOWS\system32\JPIUtil4.dll -> Spyware.Look2Me : Cleaned with backup C:\WINDOWS\system32\kldhe220.dll -> Spyware.Look2Me : Cleaned with backup C:\WINDOWS\system32\kzdcz2.dll -> Spyware.Look2Me : Cleaned with backup C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup ::Report End Logfile of HijackThis v1.99.1 Scan saved at 5:53:33 AM, on 8/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\Explorer.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Venturi2\Configurator\ventcfg.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\system32\S3tray2.exe C:\PROGRA~1\HPONE-~1\OneTouch.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Venturi2\Client\ventc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTW...S/IFTWCLIX.CAB O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build1539/install.cab O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.trainingclips.com/stream/TSCCinst.cab O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/Cl...gIn/tsTemp.cab O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\mvhgrcoi.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

08-17-2005, 09:30 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Please read these instructions carefully, and do the procedures in the order outlined. Download L2MFix from one of these two locations: http://www.atribune.org/downloads/l2mfix.exe http://www.downloads.subratam.org/l2mfix.exe Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! Also, please do the following: Download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button). Save it to your desktop. Double-click the new icon on your desktop (tmas-web-scan.exe) It will say "Loading TrendMicro definitions". Once the definitions are loaded, the program will appear to close then re-open. Click "Start Scan" After it's done scanning, click "Scan Results" Make sure all items found have a check next to them, then click "Clean Threats Now". Click Exit. Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Last, run a new scan with HJT, and post that log here as well. So I need the following logs: L2MFix fix log TrendMicro Antispyware.log Panda ActiveScan log HJT log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-17-2005, 12:07 PM	#3 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	close but then got reinfected did the l2mfix procedure. Did the Trend Micro scan and got a clean scan the 2nd time. Hooked up the internet to download the Panda live scan and immediately got hit with the winfixer again as well as 3-4 more adwares. Lavasoft, adDestroyer,Virtual Bouncer and then I unplugged the internet....! I have the logs if you want them. I did not end up scanning with Panda, internet was jammed with incoming..did not do Hijackthis either. Very frustrated. Thanks for helping.

08-17-2005, 04:30 PM	#5 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Where you go from here is to please provide the logs asked for, so that we may examine the results and give further instructions. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-17-2005, 04:57 PM	#6 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	I think my post came off wrong, I'm sorry In my reply I said "thanks for helping". In looking at how it was written, I believe it may have come across wrong. I genuinely meant Thank You...I apologize if it came across as being sarcastic. It was NOT meant to be that. I'm frustrated and am very thankful for this forum's and your help. I did not include the logs because I thought after it got reinfected, they would be meaningless. Here are they are. Hope they can be still of use. The Panda scan never completed because of the deluge of incoming adware programs, so it is unavailable. L2Mfix 1.03c Running From: C:\Documents and Settings\Owner\Desktop\Laptop fix\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C(CI) access for predefined group "Administrators" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! C:\Documents and Settings\Owner\Desktop\Laptop fix\l2mfix System Rebooted! Running From: C:\Documents and Settings\Owner\Desktop\Laptop fix\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1768 'explorer.exe' Killing PID 1768 'explorer.exe' Killing PID 1768 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1236 'rundll32.exe' Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINDOWS\system32\dItime.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\dItime.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\ijrop.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\ijrop.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\MTC71ITA.DLL 1 file(s) copied. Backing Up: C:\WINDOWS\system32\MTC71ITA.DLL 1 file(s) copied. Backing Up: C:\WINDOWS\system32\slripto.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\slripto.dll 1 file(s) copied. Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied. Backing Up: C:\WINDOWS\system32\guard.tmp 1 file(s) copied. deleting: C:\WINDOWS\system32\dItime.dll Successfully Deleted: C:\WINDOWS\system32\dItime.dll deleting: C:\WINDOWS\system32\dItime.dll Successfully Deleted: C:\WINDOWS\system32\dItime.dll deleting: C:\WINDOWS\system32\ijrop.dll Successfully Deleted: C:\WINDOWS\system32\ijrop.dll deleting: C:\WINDOWS\system32\ijrop.dll Successfully Deleted: C:\WINDOWS\system32\ijrop.dll deleting: C:\WINDOWS\system32\MTC71ITA.DLL Successfully Deleted: C:\WINDOWS\system32\MTC71ITA.DLL deleting: C:\WINDOWS\system32\MTC71ITA.DLL Successfully Deleted: C:\WINDOWS\system32\MTC71ITA.DLL deleting: C:\WINDOWS\system32\slripto.dll Successfully Deleted: C:\WINDOWS\system32\slripto.dll deleting: C:\WINDOWS\system32\slripto.dll Successfully Deleted: C:\WINDOWS\system32\slripto.dll deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp deleting: C:\WINDOWS\system32\guard.tmp Successfully Deleted: C:\WINDOWS\system32\guard.tmp Zipping up files for submission: adding: dItime.dll (164 bytes security) (deflated 48%) adding: ijrop.dll (164 bytes security) (deflated 48%) adding: MTC71ITA.DLL (164 bytes security) (deflated 48%) adding: slripto.dll (164 bytes security) (deflated 48%) adding: guard.tmp (164 bytes security) (deflated 48%) adding: clear.reg (164 bytes security) (deflated 22%) adding: echo.reg (164 bytes security) (deflated 12%) adding: direct.txt (164 bytes security) (deflated 2%) adding: lo2.txt (164 bytes security) (deflated 80%) adding: readme.txt (164 bytes security) (deflated 50%) adding: test.txt (164 bytes security) (deflated 79%) adding: test2.txt (164 bytes security) (stored 0%) adding: test3.txt (164 bytes security) (stored 0%) adding: test5.txt (164 bytes security) (stored 0%) adding: xfind.txt (164 bytes security) (deflated 75%) adding: backregs/F77B9E0C-A431-455C-89EA-F35C75E4DB3B.reg (164 bytes security) (deflated 70%) adding: backregs/notibac.reg (164 bytes security) (deflated 87%) adding: backregs/shell.reg (164 bytes security) (deflated 73%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Warning (option /rga:(ci)) - There is no ACE to remove! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Restoring Windows Update Certificates.: deleting local copy: dItime.dll deleting local copy: dItime.dll deleting local copy: ijrop.dll deleting local copy: ijrop.dll deleting local copy: MTC71ITA.DLL deleting local copy: MTC71ITA.DLL deleting local copy: slripto.dll deleting local copy: slripto.dll deleting local copy: guard.tmp deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: ************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\mvhgrcoi.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 The following are the files found: ************************************************************************ C:\WINDOWS\system32\dItime.dll C:\WINDOWS\system32\dItime.dll C:\WINDOWS\system32\ijrop.dll C:\WINDOWS\system32\ijrop.dll C:\WINDOWS\system32\MTC71ITA.DLL C:\WINDOWS\system32\MTC71ITA.DLL C:\WINDOWS\system32\slripto.dll C:\WINDOWS\system32\slripto.dll C:\WINDOWS\system32\guard.tmp C:\WINDOWS\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ************************************************************************ REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{F77B9E0C-A431-455C-89EA-F35C75E4DB3B}"=- [-HKEY_CLASSES_ROOT\CLSID\{F77B9E0C-A431-455C-89EA-F35C75E4DB3B}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ************************************************************************ Desktop.ini Contents: ************************************************************************ ************************************************************************** Started Scanning Internet Cookies Programs in Memory Windows Registry Found '' in 'SOFTWARE\Morpheus' Found '' in 'SOFTWARE\Classes\.xmfg' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\Control' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\InprocServer32' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\MiscStatus' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\MiscStatus\1' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\ProgID' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\ToolboxBitmap32' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\TypeLib' Found '' in 'SOFTWARE\Classes\CLSID\{21F16767-8DA7-4113-BEB0-F161B313407F}\Version' Found '' in 'SOFTWARE\Classes\CLSID\{B666CF5A-B50A-49E4-8354-37AC595C5B7E}' Found '' in 'SOFTWARE\Classes\CLSID\{B666CF5A-B50A-49E4-8354-37AC595C5B7E}\InprocServer32' Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0' Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\0\win32' Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\FLAGS' Found '' in 'SOFTWARE\Classes\TypeLib\{6043F8F5-4FBE-47DA-A789-146B02AE6FA0}\1.0\HELPDIR' Found '' in 'SOFTWARE\Classes\XMIRAGE.XMirageCtrl.1' Found '' in 'SOFTWARE\Classes\XMIRAGE.XMirageCtrl.1\CLSID' Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}' Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\InProcServer32' Found '' in 'SOFTWARE\Classes\CLSID\{F02C0AE1-D796-42C9-81E1-084D88F79B8E}\ProgID' Found '' in 'SOFTWARE\Classes\GnucDNA.Core' Found '' in 'SOFTWARE\Classes\GnucDNA.Core\CLSID' Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}' Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{0BE385A3-85A5-4722-B677-68DAE891FF21}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}' Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{272C0D60-0561-4C83-B3DB-EB0A71F9D2EB}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}' Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{284477E4-A7CB-4055-9E1B-0EA7CBA28945}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}' Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{70CA4938-6A0F-4641-A9A9-C936E4C1E7DE}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}' Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{7468213E-010E-4EC6-A17D-642E909BA7EC}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}' Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{89DC33A2-F86F-42A1-8B5F-D4D1943EFC9C}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}' Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{B86F4810-19A9-4050-9AC9-B5CF60B5799A}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}' Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{BB5B7E14-F8B4-4365-A24D-F4965C33E1EE}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}' Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{C13D4627-02F5-4B03-897A-BF6A90022DD2}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}' Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{C636F1FC-6AE4-4E6A-90AB-6D61D821A0DD}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}' Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{CB971AC0-6408-40DA-A540-92F9F256F51F}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}' Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{D5694DFE-43B6-4E05-AA29-8C556C968973}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}' Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{E2032EC2-A9AC-4ED7-9BDB-EBECACF076F2}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}' Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{EBAB4A71-8C34-461A-B57D-DD041D439555}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}' Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{F06FEA43-0CC3-4BF6-A85B-5EFB1C07AA4B}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}' Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{FC94A0F7-9C7C-4AE2-9106-5C212332B209}\TypeLib' Found '' in 'SOFTWARE\Classes\morpheus' Found '' in 'SOFTWARE\Classes\morpheus\DefaultIcon' Found '' in 'SOFTWARE\Classes\morpheus\shell\open\command' Found '' in 'SOFTWARE\Morpheus\Matrix' Found '' in 'SOFTWARE\Morpheus\MediaManager' Found '' in 'SOFTWARE\ClickSpring' Internet URL Shortcuts Files and Directories Found 's4Setp.exe' in 'C:\Documents and Settings\Owner\Local Settings\Temp' Found 'Folder.ico' in 'C:\Program Files\StreamCast\Morpheus' Found 'Morpheus.exe' in 'C:\Program Files\StreamCast\Morpheus' Found 'muninstall.exe' in 'C:\Program Files\StreamCast\Morpheus' Found '' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'application.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'application.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'document.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'document.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'image.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'image.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'rom.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'rom.xsd' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'video.xml' in 'C:\Program Files\StreamCast\Morpheus\Schemas' Found 'CWRKArea.wrk' in 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp' Found 'DWRKArea.wrk' in 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp' Found 'MCATArea.wrk' in 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp' Found 'CWRKArea.wrk' in 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp' Found 'DWRKArea.wrk' in 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp' Found 'MCATArea.wrk' in 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp' Found 'CWRKArea.wrk' in 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp' Found 'DWRKArea.wrk' in 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp' Found 'MCATArea.wrk' in 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp' Found 'screengenie.scr' in 'C:\WINDOWS' Found 'Decln.dll' in 'C:\WINDOWS\system32' Found 'Declw.dll' in 'C:\WINDOWS\system32' Found 'mfimage.dll' in 'C:\WINDOWS\system32' Found 'npmirage.dll' in 'C:\WINDOWS\system32' Found 'xmforgert.exe' in 'C:\WINDOWS\system32' Found 'XMirage.ocx' in 'C:\WINDOWS\system32' Found 'GLF12.tmp' in 'C:\WINDOWS\Temp' Finished Scanning Started Backup Finished Backup Started Cleaning Checking for 'C:\Documents and Settings\Owner\Local Settings\Temp\s4Setp.exe' in shortcut areas. Checking for 'C:\Documents and Settings\Owner\Local Settings\Temp\s4Setp.exe' in startup areas. Cleaning 'C:\Documents and Settings\Owner\Local Settings\Temp\s4Setp.exe' Checking for 'C:\Program Files\StreamCast\Morpheus\Folder.ico' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Folder.ico' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Folder.ico' Checking for 'C:\Program Files\StreamCast\Morpheus\Morpheus.exe' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Morpheus.exe' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Morpheus.exe' Checking for 'C:\Program Files\StreamCast\Morpheus\muninstall.exe' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\muninstall.exe' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\muninstall.exe' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xml' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\audio.xsd' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xsd' Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xml' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\application.xsd' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xml' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\document.xsd' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xml' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\image.xsd' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xml' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\rom.xsd' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in shortcut areas. Checking for 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' in startup areas. Cleaning 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' [SCANMODS] The file 'C:\Program Files\StreamCast\Morpheus\Schemas\video.xml' was not found. Most likely already cleaned by another scanner module. Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\CWRKArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\CWRKArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\CWRKArea.wrk' Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\DWRKArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\DWRKArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\DWRKArea.wrk' Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\MCATArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\MCATArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 7.2 (Build 1563)\MyWork\EL13.tmp\MCATArea.wrk' Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\CWRKArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\CWRKArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\CWRKArea.wrk' Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\DWRKArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\DWRKArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\DWRKArea.wrk' Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\MCATArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\MCATArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 8.0 (Build 1869)\MyWork\EL13.tmp\MCATArea.wrk' Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\CWRKArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\CWRKArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\CWRKArea.wrk' Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\DWRKArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\DWRKArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\DWRKArea.wrk' Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\MCATArea.wrk' in shortcut areas. Checking for 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\MCATArea.wrk' in startup areas. Cleaning 'C:\Program Files\TradeStation 8.1 (Build 2172)\MyWork\EL13.tmp\MCATArea.wrk' Checking for 'C:\WINDOWS\screengenie.scr' in shortcut areas. Checking for 'C:\WINDOWS\screengenie.scr' in startup areas. Cleaning 'C:\WINDOWS\screengenie.scr' Checking for 'C:\WINDOWS\system32\Decln.dll' in shortcut areas. Checking for 'C:\WINDOWS\system32\Decln.dll' in startup areas. Cleaning 'C:\WINDOWS\system32\Decln.dll' Checking for 'C:\WINDOWS\system32\Declw.dll' in shortcut areas. Checking for 'C:\WINDOWS\system32\Declw.dll' in startup areas. Cleaning 'C:\WINDOWS\system32\Declw.dll' Checking for 'C:\WINDOWS\system32\mfimage.dll' in shortcut areas. Checking for 'C:\WINDOWS\system32\mfimage.dll' in startup areas. Cleaning 'C:\WINDOWS\system32\mfimage.dll' Checking for 'C:\WINDOWS\system32\npmirage.dll' in shortcut areas. Checking for 'C:\WINDOWS\system32\npmirage.dll' in startup areas. Cleaning 'C:\WINDOWS\system32\npmirage.dll' Checking for 'C:\WINDOWS\system32\xmforgert.exe' in shortcut areas. Checking for 'C:\WINDOWS\system32\xmforgert.exe' in startup areas. Cleaning 'C:\WINDOWS\system32\xmforgert.exe' Checking for 'C:\WINDOWS\system32\XMirage.ocx' in shortcut areas. Checking for 'C:\WINDOWS\system32\XMirage.ocx' in startup areas. Cleaning 'C:\WINDOWS\system32\XMirage.ocx' Checking for 'C:\WINDOWS\Temp\GLF12.tmp' in shortcut areas. Checking for 'C:\WINDOWS\Temp\GLF12.tmp' in startup areas. Cleaning 'C:\WINDOWS\Temp\GLF12.tmp' Finished Cleaning The 2nd time through, their was no log, but the window had said it was clean with nothing found. Hope this can be still of help. Thanks.

08-17-2005, 03:55 PM	#4 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	Where do I go from here? Most appreciative of your help...

08-17-2005, 05:58 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Hi hplus10 - No bad intent or sarcasm was felt here....I was just letting you know what we need to help you...I apologize back to you if I came across as anything but trying to get the information needed to help you. We still need a fresh HJT log, so that we may see what is left in your system. IF possible, do any further communication and downloads required from another system, so that the infected one can remain disconnected untill we get you clean and more secure. Also, please do the following: Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. Cheers, TB __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-17-2005, 06:40 PM	#8 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	Start Dreck does not work TetonBob...ran HJT here's the log Logfile of HijackThis v1.99.1 Scan saved at 8:15:02 PM, on 8/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Venturi2\Client\ventc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Venturi2\Configurator\ventcfg.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\system32\S3tray2.exe C:\PROGRA~1\HPONE-~1\OneTouch.EXE C:\WINDOWS\system32\wintask.exe C:\PROGRA~1\VBouncer\VirtualBouncer.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\apsi\wtta.exe C:\WINDOWS\system32\??xplore.exe C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFTW...S/IFTWCLIX.CAB O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build1539/install.cab O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.trainingclips.com/stream/TSCCinst.cab O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/Cl...gIn/tsTemp.cab O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe then I downloaded and unzipped Start Dreck. Double clicking on startdreck.exe file opened up a window but immediately got a "not responding" in Task Manager. Tried it several times, redownloaded and unzipped again. Still the same.

08-17-2005, 06:43 PM	#9 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	did u still want me to run silent runners even though StartDreck crashed?

08-17-2005, 07:12 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	If possible, use another machine to perform the downloads and communication...as you said, you're getting very infected with malwares..... Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download the free trial version of Trojan Hunter and run it. Copy these instructions to Notepad Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check): C:\WINDOWS\system32\wintask.exe C:\PROGRA~1\VBouncer\VirtualBouncer.exe C:\Program Files\apsi\wtta.exe C:\WINDOWS\system32\??xplore.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: VBouncer or VirtualBouncer AdDestroyer Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/info/e-center-p R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/c...trolLite_EN.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409 O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://208.62.27.145/TSCOM_TOOL/IFT...TS/IFTWCLIX.CAB O16 - DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - http://63.99.207.62/builds//build1539/install.cab O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.trainingclips.com/stream/TSCCinst.cab O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - http://www.tradestation.com/tscom/C...ugIn/tsTemp.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\wintask.exe C:\PROGRA~1\VBouncer\ C:\Program Files\apsi\ C:\WINDOWS\system32\??xplore.exe<<<the first two characters of this file may be anything C:\WINDOWS\system32\exp.exe C:\WINDOWS\system32\wintask.exe C:\Program Files\AdDestroyer\ Restart and run a new HijackThis scan. Save the log file and post it here. If now possible, Please go to at least two of these sites and run an online Virus Scan. Be sure to have the AutoFix box(es) checked. http://housecall.trendmicro.com/ http://www3.ca.com/virusinfo/virusscan.aspx http://www.pandasoftware.com/active...n_principal.htm http://www.bitdefender.com/scan/license.php http://us.mcafee.com/root/mfs/default.asp http://security.symantec.com/sscv6/...id=ie&venid=sym Not sure why StartDreck would crash, I'll have to look into that....if possible, go ahead and run SilentRunners, please also, and post the results here. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-17-2005, 07:27 PM	#11 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	question thanks teton. When you say an online scan. What exactly is that? Is that running the scan while "online", or running a scan after you download the scan file and then run it offline? That's where i got reinfected while trying to run Panda (that's why I ask) I'll do all of the above and call it a night. Will post in the am but will await your answer before running the last 2 scans. Thanks. What time, if at all, are you here tomorrow?

08-18-2005, 06:58 AM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	See if you can run the SilentRunners script before performing any online scan, but after performing the rest of the fix posted, and post the results here. An online scan downloads an ActiveX component and definitions with which to run a scan on your system. I believe Panda will allow you to then continue the scan offline, but you will have to re-connect to obtain the results. I'm here at various times...but we are here 24/7/365....another Analyst will pick up the thread if I am delayed in replying. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-18-2005, 07:24 AM	#13 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	HJT log Did the Trojan Hunter. Found, I think, 9 trojans including vbouncer and addestroyer. Did the Kill Process on HJT and deleted those files. I also did a search and found most of those files in a C:/WINDOWS/PREFETCH folder. Deleted them there as well. Ran a clean HJT and the log is below. I have not ran anti-virus programs because I wanted to wait for you to give me an "all clear" to get on the internet to do them. Thanks. Logfile of HijackThis v1.99.1 Scan saved at 9:17:05 AM, on 8/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\wtta.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Venturi2\Configurator\ventcfg.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\S3tray2.exe C:\PROGRA~1\HPONE-~1\OneTouch.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Venturi2\Client\ventc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe

08-18-2005, 08:52 AM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Excellent work! That is looking much better....you can safely delete all files from the Prefetch folder....Windows and legit programs will put them back as needed. I'd like you to run the SilentRunners script still, to see if there any any programs hidden from HJT, before you go back online. Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. Also, Run HJT and Open the Misc Tools section. Click on Generate Startup List and post the results here. How is the condition of your system now? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-18-2005, 12:42 PM	#15 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	I've been out of the house. Thanks for the reply. I will run Silent runners. I ran a complete scan using Norton AntiVirus 2005 thats on the laptop. It came up with 18 threats, all were part of Look2Me, AdDestroyer, PurityScan, Virtual Bouncer and Surfsidekick. 17 of them were able to be deleted and I will attempt to delete the last one (wtta.exe) when I boot up in Safe Mode. I will attempt to delete wtta.exe, then run SilentRunner and then run another scan with Norton and post back here. Would like to get it as clean as I can before hooking up for an online scan and risk starting over again. Thanks Tetonbob. Give me 2 hours and I'll post again.

08-18-2005, 01:12 PM	#16 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	Succesfully deleted wtta.exe file when I went to Safe mode. It was in the Prefetch folder. Ran Silent Runners, here's the log. Am running a new Norton scan now. "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."] "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"] "AirCardEnabler" = "C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe" ["Sierra Wireless Inc."] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "Advanced Tools Check" = "C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] "Venturi Configurator" = "C:\Program Files\Venturi2\Configurator\ventcfg.exe" ["Venturi Wireless"] "LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."] "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data] "S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."] "QT4HPOT" = "C:\PROGRA~1\HPONE-~1\OneTouch.EXE" ["Dritek System Inc."] "THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Fact Book 2002\Office\soa800.dll" [MS] "{4EC26602-4807-40FE-A40F-1A41E4D40C78}" = "Dell Digital Jukebox" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Dell\Dell File Manager\CTDFM.DLL" ["Creative Technology Ltd"] "{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."] "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\stobject.dll" [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"] TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Instant Wireless Configuration Utility" -> shortcut to: "C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe" [file not found] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] Enabled Scheduled Tasks: ------------------------ "ISP signup reminder 1" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /i /n:1" [MS] "ISP signup reminder 3" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /i /n:3" [MS] "Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] "RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: vlsp.dll ["Venturi Wireless"] , 01 - 21, 27 %SystemRoot%\system32\mswsock.dll [MS], 22 - 24, 28 - 47 %SystemRoot%\system32\rsvpsp.dll [MS], 25 - 26 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll" ["Yahoo! Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ C-DillaCdaC11BA, C-DillaCdaC11BA, "C:\WINDOWS\System32\drivers\CDAC11BA.EXE" ["Macrovision"] ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"] HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]} Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"] Norton Unerase Protection, NProtectService, "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE" ["Symantec Corporation"] Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"] Venturi2 Client, Venturi2, "C:\Program Files\Venturi2\Client\ventc.exe" ["Venturi Wireless"] ---------- + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 155 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 43 seconds. ---------- (total run time: 248 seconds)

08-18-2005, 01:52 PM	#17 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Make sure you can view hidden files still, as per the previous instructions. Search for the following file, and delete it if found (you may not find it): C:\WINDOWS\ru.exe If it gives you difficulty, reboot into safe mode and search for and delete it from there. Let us know if it was present on your system, and if you were able to remove it. I would still like to see the Startup List generated by HJT. If possible, run StartDreck now. If it doesn't run, don't worry about it, and move on. Also, let us know what issues your NAV scan found, and the locations of any problematic files, if given. I will wait for your reply with NAV results before posting further instructions. Please wait to post the NAV results until you have performed the instructions I've given here. Then post all results together. So I need results from: NAV scan, HJT Startup list, presence of ru.exe, StartDreck log if possible, condition of system. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-18-2005, 02:34 PM	#18 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	Getting there...(I think...) Ran TrojanHunter got more trojans from QDB.100, AdDestroyer and VirtualBouncer. All of them were in System Volume Information/Restore folder. Log is down below. StartDreck crashed again..."Not Responding" in Task Manager with it's window open. Search was nil for ru.exe in Normal and Safe modes. Running NAV scan as I type. Will post when complete. Takes about 120 minutes. Also ran HJT Startup and log is down below. StartupList report, 8/18/2005, 4:09:57 PM StartupList version: 1.52.2 Started from : C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.EXE Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Venturi2\Configurator\ventcfg.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\WINDOWS\system32\S3tray2.exe C:\PROGRA~1\HPONE-~1\OneTouch.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Venturi2\Client\ventc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11CFG.exe Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run hpsysdrv = c:\windows\system\hpsysdrv.exe dla = C:\WINDOWS\system32\dla\tfswctrl.exe HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe AirCardEnabler = C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer Venturi Configurator = C:\Program Files\Venturi2\Configurator\ventcfg.exe LVCOMSX = C:\WINDOWS\system32\LVCOMSX.EXE SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe S3TRAY2 = S3tray2.exe QT4HPOT = C:\PROGRA~1\HPONE-~1\OneTouch.EXE THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe" -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=INI section not found SCRNSAVE.EXE=INI section not found drivers=INI section not found Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=Registry value not found drivers=Registry value not found Policies Shell key: HKCU\..\Policies: Shell=Registry key not found HKLM\..\Policies: Shell=Registry value not found -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} -------------------------------------------------- Enumerating Task Scheduler jobs: ISP signup reminder 1.job ISP signup reminder 3.job Norton AntiVirus - Scan my computer - Owner.job RUTASK.job Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [QuickTime Object] InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab [YInstStarter Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll CODEBASE = http://download.yahoo.com/dl/installs/yinst0309.cab [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: Registry key not found WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 6,601 bytes Report generated in 0.551 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Registry scan No suspicious entries found Inifile scan No suspicious entries found Port scan Port 8000/TCP is open (Matches XConsole.100. Port being used by process ventc.exe/PID 836) (Tell me more about port alerts...) Memory scan No trojans found in memory File scan Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175034.exe (Adware.VirtualBouncer.100) Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175035.exe (Adware.QDB.100) Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175036.EXE (Adware.VirtualBouncer.100) Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175037.dll (Adware.SpywareLabs.AdDestroyer.102) Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175038.dll (Adware.SpywareLabs.AdDestroyer.102) Found trojan file: C:\System Volume Information\_restore{0E4BB6DE-EB56-4CFF-8ACD-23F3666BAD33}\RP511\A0175039.dll (Adware.SpywareLabs.AdDestroyer.102) Found possible trojan file: C:\WINDOWS\system32\wtta.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list) 6 trojan files found 1 possible trojan files found Thanks Tetonbob...later

08-18-2005, 04:39 PM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	No worries about the System Volume infections, as we will flush all your restore points and create a new, clean one once we are through. Not that I think you will, but I have to say this due to the location of those last finds: DO NOT attempt a System Restore unless told to, please, as this may set us back. HJT says that RUTASK is still on your system, and it is part of this infection. Let's try another way to root it out. Reboot to safe mode. Go to C:\windows\tasks and have a look. Do you see this task ? RUTASK.job If you do, delete it. If not, do the following: Most likely it is invisible and needs to be unhidden. Click Start>run and type cmd to open a command prompt, paste in this command then press enter. attrib -s -h -r C:\windows\tasks\.job Close the command prompt and open the windows\tasks folder. Delete this task: RUTASK.job Search for and delete the following files in bold: ru.exe* (possibly C:\Windows or C:\Windows\system32)(it's possible it's not there) C:\WINDOWS\system32\wtta.exe Reboot into normal mode and post your results. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

08-18-2005, 05:19 PM	#20 (permalink)
hplus10 Registered User Join Date: Aug 2005 Posts: 14 OS: xp	closer Hi tetonBob... ran NAV scan. Iit found only wtta.exe and it deleted it after the scan. I then received your post and I then did all you had asked. Found the rutask.job in the tasks folder after booting in Safe and running the cmd prompt as you said. It came unhidden had I deleted it. Then I did a search in safe mode for the 2 files and they were not in the C: drive. What's next sir....