cachecachekit trojan won't go away

tjtoor · 02-27-2006, 08:53 AM

Hi there

This is my first post. So bear with me. I have tried the Adaware, Spybot, CW shredder, Spywareblaster. I am running Windows 2000 sp4. Avg keeps showing the rdriv.sys trojan. AVG heals it, but it keeps coming back. I have tried Panda and Eido also. I also ran the Cleanup program.

I am receiving popups for Winfixer2006 and AD-W-A-R-E.com. So i am posting my Hijackthis logfile. Hopefully somebody can help me.

Logfile of HijackThis v1.99.1
Scan saved at 8:20:56 AM, on 27/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\tj toor\Local Settings\Temporary Internet Files\Content.IE5\6AKODHIY\HijackThis[1].exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [Windows USB 2.0 Driver] cpufanctrl.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140481177228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140853135422
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37610.cab
O20 - Winlogon Notify: Explorer - C:\WINNT\system32\enl6l13s1.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SndDRV (MS Sound Driver) (SndDRV) - Unknown owner - C:\WINNT\system32\snddrv.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: windows kernel 386 (windows kernel) - Unknown owner - C:\WINNT\krnl386.exe (file missing)
O23 - Service: windows manager - Unknown owner - C:\WINNT\schedl.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)

Also, When I go to Control Panel-Add Remove/Programs icon can't be selected. I can select every other icon in the Contral Panel.

Thanks in advance

tetonbob · 02-27-2006, 09:19 AM

You have a nasty little assortment of infections there. We'll do this in several steps.

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.downloads.subratam.org/l2mfix.exe
http://www.atribune.org/downloads/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Do NOT depress any keys on your keyboard until the tool requests you to "press any key to reboot" Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder and post that log.

tjtoor · 02-27-2006, 07:18 PM

I followed the instructions to your reply. I'm not sure if there was an error. There was an message on a blue screen saying an initialization error had occurred. A restart was needed. I hit the restart button and then it rebooted to the same screen with the error screen. So I shut the computer off from behind the tower for a few minutes. Then I restarted the computer and windows checked drive C first and then I went to the l2mfix notepad log. Here it is.

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

TJ

tetonbob · 02-27-2006, 08:27 PM

Hi tjtoor -

It appears as though the L2MFix did not run correctly. Please run Option 2 once again, being sure not to press any keys until it tells you to Press a Key to Reboot.

tjtoor · 02-27-2006, 10:35 PM

Quote:

Originally Posted by tetonbob

Hi tjtoor -

It appears as though the L2MFix did not run correctly. Please run Option 2 once again, being sure not to press any keys until it tells you to Press a Key to Reboot.

Here it is!!!!!!!!!!

L2mfix 010406
Creating Account.
The account already exists.

More help is available by typing NET HELPMSG 2224.

Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*

zip error: Nothing to do! (backup.zip)
adding: backregs/notibac.reg (deflated 85%)
adding: backregs/shell.reg (deflated 75%)
adding: backregs/11E4C27C-999E-4006-8976-09FCEC7FB514.reg (deflated 71%)
adding: backregs/FAB6A526-C7C3-4EDD-87F8-AE13D7459491.reg (deflated 70%)
adding: backregs/3D23A33A-9109-498C-B6BB-BB7E6060C3D9.reg (deflated 70%)
adding: backregs/F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF.reg (deflated 70%)
adding: backregs/A17B8C11-2C5E-416F-8E6A-DC41C80282A8.reg (deflated 70%)
adding: backregs/BCB71840-8F38-48FB-A0E1-3885E169C519.reg (deflated 70%)
adding: backregs/CB4C718B-496D-49DB-AB7E-FCDF93EE180B.reg (deflated 70%)
adding: backregs/3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5.reg (deflated 70%)
adding: backregs/10EE0301-A21B-47B7-88B7-163EA54C4EAB.reg (deflated 70%)
adding: backregs/ECBE6733-4EFC-477A-9636-51D752646732.reg (deflated 70%)
adding: backregs/74F3B5D1-01A1-478B-AE11-03CA9B417AB5.reg (deflated 70%)
adding: backregs/25C16CB4-CDBF-4B6A-A485-68888EAF019D.reg (deflated 70%)

tetonbob · 02-28-2006, 06:48 AM

I'm sorry, but that doesn't appear to be the correct log, or the fix did not run properly yet. We're looking for log.txt.

Are you double clicking on l2mfix.bat, then keying in 2?

Try one more time, please...and post a new HJT log as well.

tjtoor · 02-28-2006, 03:33 PM

Hey TETONBOB,

This time the screen went blue and the icons disappeared. Hope this is what you were looking for.

L2mfix 010406
Creating Account.
The command completed successfully.

Adding Administrative privleges.
The command completed successfully.

Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful

Running From:
C:\WINNT\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 152 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 172 'winlogon.exe'
Killing PID 172 'winlogon.exe'
Error 0x5 : Access is denied.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 948 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 812 'rundll32.exe'
Killing PID 812 'rundll32.exe'
Error 0x6 : The handle is invalid.

Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

Running From:
C:\WINNT\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 152 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 172 'winlogon.exe'
Killing PID 172 'winlogon.exe'
Error 0x5 : Access is denied.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1184 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 208 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

Running From:
C:\WINNT\system32

Killing Processes!

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 148 'smss.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 168 'winlogon.exe'
Killing PID 168 'winlogon.exe'
Error 0x5 : Access is denied.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 920 'explorer.exe'
Killing PID 920 'explorer.exe'
Error 0x5 : Access is denied.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 788 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINNT\system32\djvenum.dll
Successfully Deleted: C:\WINNT\system32\djvenum.dll
Deleting: C:\WINNT\system32\hr8805lue.dll
Successfully Deleted: C:\WINNT\system32\hr8805lue.dll
Deleting: C:\WINNT\system32\hrr8059ue.dll
Successfully Deleted: C:\WINNT\system32\hrr8059ue.dll
Deleting: C:\WINNT\system32\jjbexec.dll
Successfully Deleted: C:\WINNT\system32\jjbexec.dll
Deleting: C:\WINNT\system32\k080lalm1dqa.dll
Successfully Deleted: C:\WINNT\system32\k080lalm1dqa.dll
Deleting: C:\WINNT\system32\o4ro0e93eh.dll
Successfully Deleted: C:\WINNT\system32\o4ro0e93eh.dll
Deleting: C:\WINNT\system32\q686lgls16q6.dll
Successfully Deleted: C:\WINNT\system32\q686lgls16q6.dll
Deleting: C:\WINNT\system32\tJpi3.dll
Successfully Deleted: C:\WINNT\system32\tJpi3.dll
Deleting: C:\WINNT\system32\wvhext.dll
Successfully Deleted: C:\WINNT\system32\wvhext.dll

msg11?.dll
0 file(s) copied.
Desktop.ini sucessfully removed

Restoring Windows Update Certificates.:

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\hrr8059ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

The following are the files found:
****************************************************************************
C:\WINNT\system32\djvenum.dll
C:\WINNT\system32\hr8805lue.dll
C:\WINNT\system32\hrr8059ue.dll
C:\WINNT\system32\jjbexec.dll
C:\WINNT\system32\k080lalm1dqa.dll
C:\WINNT\system32\o4ro0e93eh.dll
C:\WINNT\system32\q686lgls16q6.dll
C:\WINNT\system32\tJpi3.dll
C:\WINNT\system32\wvhext.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}\InprocServer32]
@="C:\\WINNT\\system32\\nndsxds.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}\InprocServer32]
@="C:\\WINNT\\system32\\ubib.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}\InprocServer32]
@="C:\\WINNT\\system32\\pklagent.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}\InprocServer32]
@="C:\\WINNT\\system32\\wrnsock.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}\InprocServer32]
@="C:\\WINNT\\system32\\dfquery.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}\InprocServer32]
@="C:\\WINNT\\system32\\OKBC32GT.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}\InprocServer32]
@="C:\\WINNT\\system32\\RTSAUTO.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}\InprocServer32]
@="C:\\WINNT\\system32\\jjbexec.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}\InprocServer32]
@="C:\\WINNT\\system32\\tJpi3.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}\InprocServer32]
@="C:\\WINNT\\system32\\GRI32.DLL"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}\InprocServer32]
@="C:\\WINNT\\system32\\djvenum.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}\InprocServer32]
@="C:\\WINNT\\system32\\wvhext.dll"
"ThreadingModel"="Apartment"

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}"=-
"{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}"=-
[-HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}]
[-HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/djvenum.dll (deflated 5%)
adding: dlls/hr8805lue.dll (deflated 5%)
adding: dlls/hrr8059ue.dll (deflated 5%)
adding: dlls/jjbexec.dll (deflated 5%)
adding: dlls/k080lalm1dqa.dll (deflated 5%)
adding: dlls/o4ro0e93eh.dll (deflated 5%)
adding: dlls/q686lgls16q6.dll (deflated 5%)
adding: dlls/tJpi3.dll (deflated 5%)
adding: dlls/wvhext.dll (deflated 5%)
adding: backregs/notibac.reg (deflated 85%)
adding: backregs/shell.reg (deflated 75%)
adding: backregs/11E4C27C-999E-4006-8976-09FCEC7FB514.reg (deflated 71%)
adding: backregs/FAB6A526-C7C3-4EDD-87F8-AE13D7459491.reg (deflated 70%)
adding: backregs/3D23A33A-9109-498C-B6BB-BB7E6060C3D9.reg (deflated 70%)
adding: backregs/F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF.reg (deflated 70%)
adding: backregs/A17B8C11-2C5E-416F-8E6A-DC41C80282A8.reg (deflated 70%)
adding: backregs/BCB71840-8F38-48FB-A0E1-3885E169C519.reg (deflated 70%)
adding: backregs/CB4C718B-496D-49DB-AB7E-FCDF93EE180B.reg (deflated 70%)
adding: backregs/3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5.reg (deflated 70%)
adding: backregs/10EE0301-A21B-47B7-88B7-163EA54C4EAB.reg (deflated 70%)
adding: backregs/ECBE6733-4EFC-477A-9636-51D752646732.reg (deflated 70%)
adding: backregs/74F3B5D1-01A1-478B-AE11-03CA9B417AB5.reg (deflated 70%)
adding: backregs/25C16CB4-CDBF-4B6A-A485-68888EAF019D.reg (deflated 70%)
adding: backregs/D11D1C58-00AA-4E1B-9036-E7F190FFA2EA.reg (deflated 70%)
adding: backregs/0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5.reg (deflated 70%)

tetonbob · 02-28-2006, 06:23 PM

Yes!

That's good.

Now if you'll kindly post a new HJT log, we can address the rdriv.

tjtoor · 02-28-2006, 09:52 PM

Quote:

Originally Posted by tetonbob

Yes!

That's good.

Now if you'll kindly post a new HJT log, we can address the rdriv.

Here is the HJT log,

Logfile of HijackThis v1.99.1
Scan saved at 9:49:46 PM, on 28/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\System32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\schedl.exe
C:\Documents and Settings\tj toor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Windows USB 2.0 Driver] cpufanctrl.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140481177228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140853135422
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37610.cab
O20 - Winlogon Notify: Extensions - C:\WINNT\system32\hrr8059ue.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SndDRV (MS Sound Driver) (SndDRV) - Unknown owner - C:\WINNT\system32\snddrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: windows kernel 386 (windows kernel) - Unknown owner - C:\WINNT\krnl386.exe (file missing)
O23 - Service: windows manager - Unknown owner - C:\WINNT\schedl.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)

tetonbob · 02-28-2006, 10:24 PM

Download CWShredder and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

rdrivRem.zip

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - SndDRV
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name" & then click on the OK button

Repeat steps 1-4 for the following services :-

windows kernel 386

windows manager

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double-click rdrivRem.zip & run rdrivRem.bat - follow the instructions on the screen.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [Windows USB 2.0 Driver] cpufanctrl.exe
O20 - Winlogon Notify: Extensions - C:\WINNT\system32\hrr8059ue.dll (file missing)
O23 - Service: SndDRV (MS Sound Driver) (SndDRV) - Unknown owner - C:\WINNT\system32\snddrv.exe (file missing)
O23 - Service: windows kernel 386 (windows kernel) - Unknown owner - C:\WINNT\krnl386.exe (file missing)
O23 - Service: windows manager - Unknown owner - C:\WINNT\schedl.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Delete the following files/folders if they exist:

C:\Program Files\Network\ipnetwork.exe
C:\WINNT\system32\snddrv.exe
C:\WINNT\krnl386.exe <<<from this location only!
C:\WINNT\schedl.exe
C:\WINNT\services.exe <<<from this location only!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CleanUp again, using the previous settings.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Run a new HijackThis scan. Save the log file and post it here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post, please include fresh logs from:

Ewido
Kaspersky
HJT

Please provide details of any problems you encountered while performing the above steps & update us on how the computer behaves now

tjtoor · 03-01-2006, 03:48 PM

Quote:

Originally Posted by tetonbob

Download CWShredder and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

rdrivRem.zip

Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache

Delete Newsgroup Subscriptions

Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Next, reboot your computer in SafeMode :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - SndDRV
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
- Stop the service by using the Stop button.
- Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name" & then click on the OK button

Repeat steps 1-4 for the following services :-

windows kernel 386

windows manager

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Double-click rdrivRem.zip & run rdrivRem.bat - follow the instructions on the screen.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\RunServices: [Windows USB 2.0 Driver] cpufanctrl.exe
O20 - Winlogon Notify: Extensions - C:\WINNT\system32\hrr8059ue.dll (file missing)
O23 - Service: SndDRV (MS Sound Driver) (SndDRV) - Unknown owner - C:\WINNT\system32\snddrv.exe (file missing)
O23 - Service: windows kernel 386 (windows kernel) - Unknown owner - C:\WINNT\krnl386.exe (file missing)
O23 - Service: windows manager - Unknown owner - C:\WINNT\schedl.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Delete the following files/folders if they exist:

C:\Program Files\Network\ipnetwork.exe
C:\WINNT\system32\snddrv.exe
C:\WINNT\krnl386.exe <<<from this location only!
C:\WINNT\schedl.exe
C:\WINNT\services.exe <<<from this location only!

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Run CleanUp again, using the previous settings.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

REBOOT TO NORMAL MODE

Run a new HijackThis scan. Save the log file and post it here.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

In your next post, please include fresh logs from:

Ewido
Kaspersky
HJT

Please provide details of any problems you encountered while performing the above steps & update us on how the computer behaves now

Hi there,

I completed all the steps word for word. One thing thou, in NOTEPAD, one of the virus removal instructions didn't fit the page. After running a HIJACKTHIS in safe mode. 023 Service: Microsoft Windows Update Service...C\WINNT\service.exe was not deleted. I could only see up to "Update Service" on the page.

Logfile of HijackThis v1.99.1
Scan saved at 3:32:40 PM, on 01/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\tj toor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140481177228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140853135422
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37610.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing)

tjtoor · 03-01-2006, 04:01 PM

Me again,

When I click the link from your post for the online scanner, the agreement page shows up but there is no slider on the right hand of the screen. I can't scroll down to hit agree/disagree. I have tried it a few times. I don't have a wheel mouse.

TJ

tetonbob · 03-01-2006, 04:30 PM

Where is the Ewido Log please?

What are your desktop display resolution settings? There is no scroll bar on the popup window for Kaspersky. Set your desktop display to a minimum of 800 x 600, 1024 x 768 is better.

For now, do this:

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Microsoft Windows Update Service
Double-click on it to open the Properties dialog.
Under the General tab:
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, copy/paste Windows Update Service Click on the OK button

Double click on HijackThis.exe to run it.
Click on Open the Misc Tools section
click the button labelled "Delete A File on Reboot..."
In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\WINNT\services.exe
When you have selected the file, Click the "Open" Button
Click yes at the next prompt and your system will reboot.

Try again to run the Kaspersky online scan...if that one doesn't work, try this one....

TrendMicro™ HouseCall Java Scan

Please go HERE to run the scan.
Click Scan now. It's free!
Read and put a Check next to Yes, I accept the terms of use.
Click the Launching HouseCall>> button.
If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
You may receive a Security Warning about the TrendMicro Java applet, click YES.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.

Run a new scan with HJT, save the log and post it here.

Post results from:

Ewido
Online scan
HJT

tjtoor · 03-01-2006, 05:57 PM

Quote:

Originally Posted by tetonbob

Where is the Ewido Log please?

What are your desktop display resolution settings? There is no scroll bar on the popup window for Kaspersky. Set your desktop display to a minimum of 800 x 600, 1024 x 768 is better.

For now, do this:

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Microsoft Windows Update Service
Double-click on it to open the Properties dialog.
Under the General tab:
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, copy/paste Windows Update Service Click on the OK button

Double click on HijackThis.exe to run it.
Click on Open the Misc Tools section
click the button labelled "Delete A File on Reboot..."
In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\WINNT\services.exe
When you have selected the file, Click the "Open" Button
Click yes at the next prompt and your system will reboot.

Try again to run the Kaspersky online scan...if that one doesn't work, try this one....

TrendMicro™ HouseCall Java Scan

Please go HERE to run the scan.
Click Scan now. It's free!
Read and put a Check next to Yes, I accept the terms of use.
Click the Launching HouseCall>> button.
If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
You may receive a Security Warning about the TrendMicro Java applet, click YES.
Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
Please be patient while it installs, updates, and scans your system.
Once the scan is complete, it will take you to the summary page.
Under Cleanup options, choose clean all detected infections automatically.
Click the Clean now>> button.
If anything was found you may be prompted to run the scan again, you can just close the browser window.

Run a new scan with HJT, save the log and post it here.

Post results from:

Ewido
Online scan
HJT

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:51:03 PM, 01/03/2006
+ Report-Checksum: 326401A4

+ Scan result:

C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/djvenum.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/hr8805lue.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/hrr8059ue.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/jjbexec.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/k080lalm1dqa.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/o4ro0e93eh.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/q686lgls16q6.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/tJpi3.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/wvhext.dll -> Adware.Look2Me : Error during cleaning

::Report End

HIJACKJTHIS log

Logfile of HijackThis v1.99.1
Scan saved at 5:53:37 PM, on 01/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tj toor\Desktop\HijackThis.exe
C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\SecuritySuite.exe
C:\WINNT\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140481177228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140853135422
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37610.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, March 01, 2006 17:34:28
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/03/2006
Kaspersky Anti-Virus database records: 179552
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 16027
Number of viruses found: 7
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 1304 sec

Infected Object Name - Virus Name
C:\Program Files\InetGet2\installer_ADPERFORM.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai
C:\Program Files\InetGet2\installer_ADPERFORM.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai
C:\Program Files\InetGet2\installer_ADPERFORM.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai
C:\WINNT\system32\fwpxwb.exe Infected: Backdoor.Win32.IRCBot.fv
C:\WINNT\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\WINNT\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg
C:\WINNT\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg
C:\WINNT\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg
C:\WINNT\pf78.exe Infected: Trojan.Win32.VB.tg
C:\WINNT\inst_adperform.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/djvenum.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/hr8805lue.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/hrr8059ue.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/jjbexec.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/k080lalm1dqa.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/o4ro0e93eh.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/q686lgls16q6.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/tJpi3.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls/wvhext.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\xcvf.exe Infected: Trojan-Downloader.Win32.Adload.s
C:\DR21206.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\DR21206.exe Infected: Trojan-Clicker.Win32.Small.jf

Scan process completed.

tetonbob · 03-01-2006, 06:36 PM

Hi TJ -

We're making progress...good work. Before we continue cleaning, please do this:

Create a uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

tjtoor · 03-01-2006, 10:19 PM

Quote:

Originally Posted by tetonbob

Hi TJ -

We're making progress...good work. Before we continue cleaning, please do this:

Create a uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notepad file into your post

Ad-Aware SE Personal
AVG Free Edition
CleanUp!
driver folder
ewido anti-malware
HijackThis 1.99.1
Kaspersky On-line Scanner
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player 8
QuickTime
SiS 900 PCI Fast Ethernet Adapter Driver
SiS Audio Driver
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Windows 2000 Hotfix - KB912919
Windows 2000 Service Pack 4
WinZip
ZoneAlarm

Thanks for all the help so far, I don't get any popups anymore. Sometimes when I scroll down the page, the page gets blurry. The writing is half missing on the page. I have to hit refresh and then it clears up. Would this be a video card prob or virus related?

TJ

tetonbob · 03-01-2006, 10:41 PM

That sounds more like a video card issue....let's solve this out first.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

Checkmark/tick - Ignore Safe System Info Streams
Click Scan
When it has finished scanning, checkmark/tick all that it found
Click Remove Selected

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

C:\Program Files\InetGet2
C:\WINNT\system32\fwpxwb.exe
C:\WINNT\pf78.exe
C:\WINNT\inst_adperform.exe
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls
C:\xcvf.exe
C:\DR21206.exe

If they resist deletion, boot to safe mode and delete from there.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

Post a new HJT log as well, please.

tjtoor · 03-01-2006, 11:14 PM

Quote:

Originally Posted by tetonbob

That sounds more like a video card issue....let's solve this out first.

Start HijackThis & Go to Config> Misc Tools > Open ADS Spy

Checkmark/tick - Ignore Safe System Info Streams
Click Scan
When it has finished scanning, checkmark/tick all that it found
Click Remove Selected

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following Files/Folders if they exist:

C:\Program Files\InetGet2
C:\WINNT\system32\fwpxwb.exe
C:\WINNT\pf78.exe
C:\WINNT\inst_adperform.exe
C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls
C:\xcvf.exe
C:\DR21206.exe

If they resist deletion, boot to safe mode and delete from there.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

Post a new HJT log as well, please.

After opening ADS spy and clicking scan, I get an error "Alternate Data Streams(ADS)are only possible on NTFS systems"

TJ

tetonbob · 03-02-2006, 07:18 AM

There's really no need to continually quote the replies I've posted.

Ignore that part of the fix, and carry on, please.

tjtoor · 03-02-2006, 08:01 AM

Here is the Panda Scan log report.

Incident Status Location

Spyware:Cookie/go Not disinfected C:\WINDOWS\Cookies\anyuser@go[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tj toor\My Documents\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\Process.exe
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[djvenum.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[hr8805lue.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[hrr8059ue.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[jjbexec.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[k080lalm1dqa.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[o4ro0e93eh.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[q686lgls16q6.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[tJpi3.dll]
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[wvhext.dll]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\tj toor\Cookies\tj toor@go[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\tj toor\Cookies\tj toor@ad.yieldmanager[2].txt
HIjackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 7:59:19 AM, on 02/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\sistray.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\tj toor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140481177228
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140853135422
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37610.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

I deleted the files from your post Clicking Start-Search -Files and folders. Sorry, I didn't know about the quick reply option.

TJ

02-27-2006, 08:53 AM	#1 (permalink)
tjtoor Registered User Join Date: Feb 2006 Posts: 26 OS: 2000	cachecachekit trojan won't go away Hi there This is my first post. So bear with me. I have tried the Adaware, Spybot, CW shredder, Spywareblaster. I am running Windows 2000 sp4. Avg keeps showing the rdriv.sys trojan. AVG heals it, but it keeps coming back. I have tried Panda and Eido also. I also ran the Cleanup program. I am receiving popups for Winfixer2006 and AD-W-A-R-E.com. So i am posting my Hijackthis logfile. Hopefully somebody can help me. Logfile of HijackThis v1.99.1 Scan saved at 8:20:56 AM, on 27/02/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\system32\rundll32.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\System32\sistray.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINNT\system32\internat.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\Documents and Settings\tj toor\Local Settings\Temporary Internet Files\Content.IE5\6AKODHIY\HijackThis[1].exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRA~1\WINZIP\winzip32.exe C:\unzipped\hijackthis[1]\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\RunServices: [Windows USB 2.0 Driver] cpufanctrl.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140481177228 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140853135422 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37610.cab O20 - Winlogon Notify: Explorer - C:\WINNT\system32\enl6l13s1.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: SndDRV (MS Sound Driver) (SndDRV) - Unknown owner - C:\WINNT\system32\snddrv.exe (file missing) O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe O23 - Service: windows kernel 386 (windows kernel) - Unknown owner - C:\WINNT\krnl386.exe (file missing) O23 - Service: windows manager - Unknown owner - C:\WINNT\schedl.exe O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing) Also, When I go to Control Panel-Add Remove/Programs icon can't be selected. I can select every other icon in the Contral Panel. Thanks in advance

02-27-2006, 09:19 AM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	You have a nasty little assortment of infections there. We'll do this in several steps. You have the latest version of VX2. Download L2mfix from one of these two locations: http://www.downloads.subratam.org/l2mfix.exe http://www.atribune.org/downloads/l2mfix.exe Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Close any programs you have open since this step requires a reboot. From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Do NOT depress any keys on your keyboard until the tool requests you to "press any key to reboot" Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot. Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log. IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so! If after the reboot the log does not open double click on it in the l2mfix folder and post that log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

02-27-2006, 07:18 PM	#3 (permalink)
tjtoor Registered User Join Date: Feb 2006 Posts: 26 OS: 2000	l2mfix log I followed the instructions to your reply. I'm not sure if there was an error. There was an message on a blue screen saying an initialization error had occurred. A restart was needed. I hit the restart button and then it rebooted to the same screen with the error screen. So I shut the computer off from behind the tower for a few minutes. Then I restarted the computer and windows checked drive C first and then I went to the l2mfix notepad log. Here it is. L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful TJ Last edited by tjtoor; 02-27-2006 at 07:19 PM.

02-27-2006, 08:27 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Hi tjtoor - It appears as though the L2MFix did not run correctly. Please run Option 2 once again, being sure not to press any keys until it tells you to Press a Key to Reboot. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

02-28-2006, 06:48 AM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	I'm sorry, but that doesn't appear to be the correct log, or the fix did not run properly yet. We're looking for log.txt. Are you double clicking on l2mfix.bat, then keying in 2? Try one more time, please...and post a new HJT log as well. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

02-28-2006, 03:33 PM	#7 (permalink)
tjtoor Registered User Join Date: Feb 2006 Posts: 26 OS: 2000	cachecachekit trojan cont. Hey TETONBOB, This time the screen went blue and the icons disappeared. Hope this is what you were looking for. L2mfix 010406 Creating Account. The command completed successfully. Adding Administrative privleges. The command completed successfully. Checking for L2MFix account(0=no 1=yes): 1 Granting SeDebugPrivilege to L2MFIX ... successful Running From: C:\WINNT\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 152 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 172 'winlogon.exe' Killing PID 172 'winlogon.exe' Error 0x5 : Access is denied. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 948 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 812 'rundll32.exe' Killing PID 812 'rundll32.exe' Error 0x6 : The handle is invalid. Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! Running From: C:\WINNT\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 152 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 172 'winlogon.exe' Killing PID 172 'winlogon.exe' Error 0x5 : Access is denied. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 1184 'explorer.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 208 'rundll32.exe' Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! Running From: C:\WINNT\system32 Killing Processes! Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 148 'smss.exe' Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 168 'winlogon.exe' Killing PID 168 'winlogon.exe' Error 0x5 : Access is denied. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 920 'explorer.exe' Killing PID 920 'explorer.exe' Error 0x5 : Access is denied. Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Killing PID 788 'rundll32.exe' Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. 1 file(s) copied. Deleting: C:\WINNT\system32\djvenum.dll Successfully Deleted: C:\WINNT\system32\djvenum.dll Deleting: C:\WINNT\system32\hr8805lue.dll Successfully Deleted: C:\WINNT\system32\hr8805lue.dll Deleting: C:\WINNT\system32\hrr8059ue.dll Successfully Deleted: C:\WINNT\system32\hrr8059ue.dll Deleting: C:\WINNT\system32\jjbexec.dll Successfully Deleted: C:\WINNT\system32\jjbexec.dll Deleting: C:\WINNT\system32\k080lalm1dqa.dll Successfully Deleted: C:\WINNT\system32\k080lalm1dqa.dll Deleting: C:\WINNT\system32\o4ro0e93eh.dll Successfully Deleted: C:\WINNT\system32\o4ro0e93eh.dll Deleting: C:\WINNT\system32\q686lgls16q6.dll Successfully Deleted: C:\WINNT\system32\q686lgls16q6.dll Deleting: C:\WINNT\system32\tJpi3.dll Successfully Deleted: C:\WINNT\system32\tJpi3.dll Deleting: C:\WINNT\system32\wvhext.dll Successfully Deleted: C:\WINNT\system32\wvhext.dll msg11?.dll 0 file(s) copied. Desktop.ini sucessfully removed Restoring Windows Update Certificates.: The following Is the Current Export of the Winlogon notify key: ************************************************************************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\hrr8059ue.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 The following are the files found: ************************************************************************ C:\WINNT\system32\djvenum.dll C:\WINNT\system32\hr8805lue.dll C:\WINNT\system32\hrr8059ue.dll C:\WINNT\system32\jjbexec.dll C:\WINNT\system32\k080lalm1dqa.dll C:\WINNT\system32\o4ro0e93eh.dll C:\WINNT\system32\q686lgls16q6.dll C:\WINNT\system32\tJpi3.dll C:\WINNT\system32\wvhext.dll Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ************************************************************************ Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}] @="" [HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{11E4C27C-999E-4006-8976-09FCEC7FB514}\InprocServer32] @="C:\\WINNT\\system32\\nndsxds.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}] @="" [HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{FAB6A526-C7C3-4EDD-87F8-AE13D7459491}\InprocServer32] @="C:\\WINNT\\system32\\ubib.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}] @="" [HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{3D23A33A-9109-498C-B6BB-BB7E6060C3D9}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}] @="" [HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF}\InprocServer32] @="C:\\WINNT\\system32\\pklagent.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}] @="" [HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{A17B8C11-2C5E-416F-8E6A-DC41C80282A8}\InprocServer32] @="C:\\WINNT\\system32\\wrnsock.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}] @="" [HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{BCB71840-8F38-48FB-A0E1-3885E169C519}\InprocServer32] @="C:\\WINNT\\system32\\dfquery.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}] @="" [HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{CB4C718B-496D-49DB-AB7E-FCDF93EE180B}\InprocServer32] @="C:\\WINNT\\system32\\OKBC32GT.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}] @="" [HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5}\InprocServer32] @="C:\\WINNT\\system32\\RTSAUTO.DLL" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}] @="" [HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{10EE0301-A21B-47B7-88B7-163EA54C4EAB}\InprocServer32] @="C:\\WINNT\\system32\\jjbexec.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}] @="" [HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{ECBE6733-4EFC-477A-9636-51D752646732}\InprocServer32] @="C:\\WINNT\\system32\\tJpi3.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}] @="" [HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{74F3B5D1-01A1-478B-AE11-03CA9B417AB5}\InprocServer32] @="C:\\WINNT\\system32\\GRI32.DLL" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}] @="" [HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{25C16CB4-CDBF-4B6A-A485-68888EAF019D}\InprocServer32] @="C:\\WINNT\\system32\\guard.tmp" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}] @="" [HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}\InprocServer32] @="C:\\WINNT\\system32\\djvenum.dll" "ThreadingModel"="Apartment" Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}] @="" [HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}\InprocServer32] @="C:\\WINNT\\system32\\wvhext.dll" "ThreadingModel"="Apartment" REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}"=- "{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}"=- [-HKEY_CLASSES_ROOT\CLSID\{D11D1C58-00AA-4E1B-9036-E7F190FFA2EA}] [-HKEY_CLASSES_ROOT\CLSID\{0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ************************************************************************ Desktop.ini Contents: ************************************************************************ ************************************************************************** Checking for L2MFix account(0=no 1=yes): 0 Zipping up files for submission: adding: dlls/djvenum.dll (deflated 5%) adding: dlls/hr8805lue.dll (deflated 5%) adding: dlls/hrr8059ue.dll (deflated 5%) adding: dlls/jjbexec.dll (deflated 5%) adding: dlls/k080lalm1dqa.dll (deflated 5%) adding: dlls/o4ro0e93eh.dll (deflated 5%) adding: dlls/q686lgls16q6.dll (deflated 5%) adding: dlls/tJpi3.dll (deflated 5%) adding: dlls/wvhext.dll (deflated 5%) adding: backregs/notibac.reg (deflated 85%) adding: backregs/shell.reg (deflated 75%) adding: backregs/11E4C27C-999E-4006-8976-09FCEC7FB514.reg (deflated 71%) adding: backregs/FAB6A526-C7C3-4EDD-87F8-AE13D7459491.reg (deflated 70%) adding: backregs/3D23A33A-9109-498C-B6BB-BB7E6060C3D9.reg (deflated 70%) adding: backregs/F70D21CC-D2D1-4D04-8EAD-B53EE3EC02FF.reg (deflated 70%) adding: backregs/A17B8C11-2C5E-416F-8E6A-DC41C80282A8.reg (deflated 70%) adding: backregs/BCB71840-8F38-48FB-A0E1-3885E169C519.reg (deflated 70%) adding: backregs/CB4C718B-496D-49DB-AB7E-FCDF93EE180B.reg (deflated 70%) adding: backregs/3399A8C0-2F75-4095-8A3E-F39F1D0CB7A5.reg (deflated 70%) adding: backregs/10EE0301-A21B-47B7-88B7-163EA54C4EAB.reg (deflated 70%) adding: backregs/ECBE6733-4EFC-477A-9636-51D752646732.reg (deflated 70%) adding: backregs/74F3B5D1-01A1-478B-AE11-03CA9B417AB5.reg (deflated 70%) adding: backregs/25C16CB4-CDBF-4B6A-A485-68888EAF019D.reg (deflated 70%) adding: backregs/D11D1C58-00AA-4E1B-9036-E7F190FFA2EA.reg (deflated 70%) adding: backregs/0D2CA2B5-6CCF-4A1D-927D-E481FFED8CB5.reg (deflated 70%)

02-28-2006, 06:23 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Yes! That's good. Now if you'll kindly post a new HJT log, we can address the rdriv. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

02-28-2006, 10:24 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Download CWShredder and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Please download these additional files/programs. Do not run them until instructed to do so. Unless otherwise stated, they should be stored in same directory as the HiJackThis program. CleanUp.exe - Install. rdrivRem.zip Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. 'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise. If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Next, reboot your computer in SafeMode : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - SndDRV Double-click on it to open the Properties dialog. Under the General tab, note down the name of "Service name". We shall need it later. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in "Service name" & then click on the OK button Repeat steps 1-4 for the following services :- windows kernel 386 windows manager = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Double-click rdrivRem.zip & run rdrivRem.bat - follow the instructions on the screen. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe O4 - HKLM\..\RunServices: [Windows USB 2.0 Driver] cpufanctrl.exe O20 - Winlogon Notify: Extensions - C:\WINNT\system32\hrr8059ue.dll (file missing) O23 - Service: SndDRV (MS Sound Driver) (SndDRV) - Unknown owner - C:\WINNT\system32\snddrv.exe (file missing) O23 - Service: windows kernel 386 (windows kernel) - Unknown owner - C:\WINNT\krnl386.exe (file missing) O23 - Service: windows manager - Unknown owner - C:\WINNT\schedl.exe O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINNT\services.exe (file missing) = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Delete the following files/folders if they exist: C:\Program Files\Network\ipnetwork.exe C:\WINNT\system32\snddrv.exe C:\WINNT\krnl386.exe <<<from this location only! C:\WINNT\schedl.exe C:\WINNT\services.exe <<<from this location only! = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Run CleanUp again, using the previous settings. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = REBOOT TO NORMAL MODE Run a new HijackThis scan. Save the log file and post it here. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text** button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post, please include fresh logs from: Ewido Kaspersky HJT Please provide details of any problems you encountered while performing the above steps & update us on how the computer behaves now __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-01-2006, 04:01 PM	#12 (permalink)
tjtoor Registered User Join Date: Feb 2006 Posts: 26 OS: 2000	kaspersky online scanner problem Me again, When I click the link from your post for the online scanner, the agreement page shows up but there is no slider on the right hand of the screen. I can't scroll down to hit agree/disagree. I have tried it a few times. I don't have a wheel mouse. TJ

03-01-2006, 04:30 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Where is the Ewido Log please? What are your desktop display resolution settings? There is no scroll bar on the popup window for Kaspersky. Set your desktop display to a minimum of 800 x 600, 1024 x 768 is better. For now, do this: Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Microsoft Windows Update Service Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, copy/paste Windows Update Service Click on the OK button Double click on HijackThis.exe to run it. Click on Open the Misc Tools section click the button labelled "Delete A File on Reboot..." In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\WINNT\services.exe When you have selected the file, Click the "Open" Button Click yes at the next prompt and your system will reboot. Try again to run the Kaspersky online scan...if that one doesn't work, try this one.... TrendMicro™ HouseCall Java Scan Please go HERE to run the scan. Click Scan now. It's free! Read and put a Check next to Yes, I accept the terms of use. Click the Launching HouseCall>> button. If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button. You may receive a Security Warning about the TrendMicro Java applet, click YES. Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button. Please be patient while it installs, updates, and scans your system. Once the scan is complete, it will take you to the summary page. Under Cleanup options, choose clean all detected infections automatically. Click the Clean now>> button. If anything was found you may be prompted to run the scan again, you can just close the browser window. Run a new scan with HJT, save the log and post it here. Post results from: Ewido Online scan HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-01-2006, 06:36 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	Hi TJ - We're making progress...good work. Before we continue cleaning, please do this: Create a uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notepad file into your post __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-01-2006, 10:41 PM	#17 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	That sounds more like a video card issue....let's solve this out first. Start HijackThis & Go to Config> Misc Tools > Open ADS Spy Checkmark/tick - Ignore Safe System Info Streams Click Scan When it has finished scanning, checkmark/tick all that it found Click Remove Selected Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following Files/Folders if they exist: C:\Program Files\InetGet2 C:\WINNT\system32\fwpxwb.exe C:\WINNT\pf78.exe C:\WINNT\inst_adperform.exe C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip/dlls C:\xcvf.exe C:\DR21206.exe If they resist deletion, boot to safe mode and delete from there. Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report Turn off the real time scanner of any existing antivirus program while performing the online scan Post a new HJT log as well, please. __________________ Practice Safe Surfing* PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-02-2006, 07:18 AM	#19 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,574 OS: 2000 Pro; XP Pro; XP Home	There's really no need to continually quote the replies I've posted. Ignore that part of the fix, and carry on, please. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

03-02-2006, 08:01 AM	#20 (permalink)
tjtoor Registered User Join Date: Feb 2006 Posts: 26 OS: 2000	Here is the Panda Scan log report. Incident Status Location Spyware:Cookie/go Not disinfected C:\WINDOWS\Cookies\anyuser@go[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tj toor\My Documents\l2mfix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix.exe[Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\Process.exe Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[djvenum.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[hr8805lue.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[hrr8059ue.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[jjbexec.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[k080lalm1dqa.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[o4ro0e93eh.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[q686lgls16q6.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[tJpi3.dll] Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\tj toor\Desktop\l2mfix\backup.zip[wvhext.dll] Spyware:Cookie/go Not disinfected C:\Documents and Settings\tj toor\Cookies\tj toor@go[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\tj toor\Cookies\tj toor@ad.yieldmanager[2].txt HIjackThis Log Logfile of HijackThis v1.99.1 Scan saved at 7:59:19 AM, on 02/03/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINNT\System32\svchost.exe C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZONELABS\vsmon.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\sistray.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINNT\system32\internat.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\tj toor\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080 O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140481177228 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140853135422 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37610.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\tj toor\My Documents\ewido anti-malware\ewidoctrl.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe I deleted the files from your post Clicking Start-Search -Files and folders. Sorry, I didn't know about the quick reply option. TJ Last edited by tjtoor; 03-02-2006 at 08:03 AM.