Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

HJT Analyser Log not very long but still having problems??

This is a discussion on HJT Analyser Log not very long but still having problems?? within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. I used the guidelines in the sticky and used HJT Analyser program to create the following log. It is not


 
 
Thread Tools Search this Thread
Old 12-21-2004, 06:07 AM   #1
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP



I used the guidelines in the sticky and used HJT Analyser program to create the following log. It is not very long so I read the post by Microbell in this thread https://www.techsupportforum.com/showthread.php?t=27060 and followed procedure 1 to 5 using kill2me, pv, vx2finder,etc. and also came up with another sets of log. I am copying that at the bottom of HJT Analyser Log. Please help.

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 12/17/04
Get updates at https://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




Logfile of HijackThis v1.99.0
Scan saved at 12:36:12, on 21/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Software\Avant\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab


End of HijackThis Analyzer Log.
===========================================================================================================================




OPTION 3

Module information for 'rundll32.exe'
MODULE BASE SIZE PATH
rundll32.exe 1000000 40960 C:\WINDOWS\system32\rundll32.exe 5.1.2600.0 (xpclient.010817-1148) Run a DLL as an App
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 77cc0000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-1148) Remote Procedure Call Runtime
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
ijxwan.dll 10000000 479232 C:\WINDOWS\system32\ijxwan.dll
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpclient.010817-1148) Common Controls Library
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
ole32.dll 771b0000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-1148) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
oledlg.dll 74d30000 131072 C:\WINDOWS\system32\oledlg.dll 1.0 (XPClient.010817-1148) Microsoft Windows(TM) OLE 2.0 User Interface Support
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
urlmon.dll 760f0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) OLE32 Extensions for Win32
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
WININET.dll 76200000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Extensions for Win32
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
NETAPI32.dll 71c20000 323584 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\system32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\system32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper



OPTION 5

Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 450560 C:\WINDOWS\system32\winlogon.exe 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon Application
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 77cc0000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-1148) Remote Procedure Call Runtime
AUTHZ.dll 76cc0000 65536 C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.0 (xpclient.010817-1148) Authorization Framework
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
NDdeApi.dll 75940000 28672 C:\WINDOWS\system32\NDdeApi.dll 5.1.2600.0 (xpclient.010817-1148) Network DDE Share Management APIs
PROFMAP.dll 75930000 40960 C:\WINDOWS\system32\PROFMAP.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
NETAPI32.dll 71c20000 323584 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
REGAPI.dll 76bc0000 57344 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.0 (xpclient.010817-1148) Registry Configuration APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
SETUPAPI.dll 76670000 933888 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
sfc_os.dll 76c60000 167936 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
WINTRUST.dll 76c30000 176128 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
ole32.dll 771b0000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-1148) Microsoft OLE for Windows
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
MSGINA.dll 75970000 987136 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon GINA DLL
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpclient.010817-1148) Common Controls Library
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\system32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
odbcint.dll 1f850000 90112 C:\WINDOWS\system32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
SHSVCS.dll 76bd0000 122880 C:\WINDOWS\system32\SHSVCS.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Services Dll
sfc.dll 76bb0000 16384 C:\WINDOWS\system32\sfc.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
WINSCARD.DLL 723d0000 106496 C:\WINDOWS\system32\WINSCARD.DLL 5.1.2600.0 (xpclient.010817-1148) Microsoft Smart Card API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\system32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\system32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
cscdll.dll 76600000 110592 C:\WINDOWS\system32\cscdll.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
WlNotify.dll 75950000 102400 C:\WINDOWS\system32\WlNotify.dll 5.1.2600.0 (XPClient.010817-1148) Common DLL to receive Winlogon notifications
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
msv1_0.dll 76d10000 118784 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Authentication Package v1.0
sxs.dll 75e90000 659456 C:\WINDOWS\system32\sxs.dll 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
wldap32.dll 76f60000 180224 C:\WINDOWS\system32\wldap32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
azaol1931.dll 10000000 479232 C:\WINDOWS\system32\azaol1931.dll
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
oledlg.dll 74d30000 131072 C:\WINDOWS\system32\oledlg.dll 1.0 (XPClient.010817-1148) Microsoft Windows(TM) OLE 2.0 User Interface Support
urlmon.dll 760f0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) OLE32 Extensions for Win32
WININET.dll 76200000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Extensions for Win32
cscui.dll 76620000 319488 C:\WINDOWS\system32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
ATL.DLL 76b20000 86016 C:\WINDOWS\system32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.42
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.42
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA provider
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
Apphelp.dll 75f40000 118784 C:\WINDOWS\system32\Apphelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library


Notify.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\azaol1931.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



VX2 Finder

Files Found---

Additional Files---

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---ModuleUsage
Keys Under Notify---ScCertProp
Keys Under Notify---Schedule
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---termsrv
Keys Under Notify---wlballoon


Guardian Key--- is called:

User Agent String---
{38A42928-58EC-4C7A-9B7C-16DD0652C531}

C:\Program Files\ Internet Explorer\

These are the only two files apart from Connection Wizard, Plugins and Signup folders. There is also an obvious IEXPLORER.EXE

npvcbkpq.exe

HMMAPI.DLL

======================
I have also noticed that there is a folder C:\WINDOWS\SoftwareDistribution and I don't know if it is installed by some malware program or is it important for my computer?
aimankay is offline  
Sponsored Links
Advertisement
 
Old 12-21-2004, 07:11 AM   #2
TSF Team, Emeritus
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,311
OS: Windows 98 & Windows XP Home/Pro

My System

Welcome to TSF.

Didn't you post at KRC Forum also? Here is the fix:

Please print out the instructions here so that you can follow along more easily.

This is a new type of hijack and may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't reboot).

1. Run VX2Finder(126) again.

2. Run CleanUp! program and click on CleanUp button. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recongized and remove anything in question.

3. Delete the following files:

C:\WINDOWS\System32\guard.tmp <<< If it exists!
IEXPLORER.EXE
npvcbkpq.exe

4. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. After that's done, go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage

Delete the whole ModuleUsage folder. Close Regedit.

5. Run KillBox now.
a) Click on the 'Delete on Reboot' button.
b) Check 'End Explorer Shell While Killing File.'

Copy and paste each of the following locations (one by one) into KillBox (check 'Unregister .dll Before Deleting' if it's not grayed out) and hit the X button for each one (when it asks you if you want to reboot, click NO):

C:\WINDOWS\system32\ijxwan.dll
C:\WINDOWS\system32\azaol1931.dll

6. On the reboot hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

7. Run HijackThis and do a scan. Check and fix the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

8. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system32 and sort the files by date. There will/should be two new DLLs.
a) If those O1 entries did return in HijackThis, paste those two files into KillBox (in Step 5 above) and kill them. Just follow through the rest of the procedures (Steps 5 - 8) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).
b) If you are having problems removing them yourself, feel free to post those two files here and we'll help you with it. Post them along with the 2 PV logs, notify.txt and a new HijackThis log. Do NOT reboot your computer yet.

Give us a new set of logs (2 PV logs, 1 notify.txt log, 1 VX2Finder log and 1 HijackThis log).
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Old 12-21-2004, 09:44 AM   #3
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


Thanks Kevin (greknight17)

I have been waiting for the security world to come up with the solution for this spyware. I saw the other forum today and posted it there while I had saved the link for this forum a while ago that's why I had different contents in my both posts to start with.

I ran VX2Finder and then ran CleanUp but when it came to deleting guard.tmp then I couldn't delete it. I tried deleting directly and then saving KillBox folder into c:\windows\system32\ and then typing the correct path in the killbox but it didn't allow me to delete. How can I delete this file

I deleted the IEXPLORE.EXE and npvcbkpq.exe but a new file iexplore.exe appeared in that folder.

When you have asked me to save the registry then do you mean the whole registry or just the:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage


I had sensed that azaol1931.dll and ijxwan.dll were responsible for some of the problems and tried to delete them earlier but couldn't succede. Is there any particular way to delete these files?

While I was looking for the contents of the folder I found that in C: I had another folder called !Submit and it had another folder 12-21-2004 which had a guard.tmp file which I have deleted now. C directory also has a new file:

ied_s7.cab

C:\Windows\SoftwareDistribution\ folder has further got ReportingEvents.log and these following folders:
DataStore
Download
EventCache
SelfUpdate
WebUpdate
WebSetup
WuRedir
aimankay is offline  
Sponsored Links
Advertisement
 
Old 12-21-2004, 06:51 PM   #4
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Kev:

This is like the 3rd thread I've run into that the user can't delete the guard.tmp file on step 3 so they quit. You need to add this to your speech to address it...

**Note** Use KILLBOX to delete if they give you trouble. If you still can’t remove this file..then add it below in step 5 to be removed on reboot.

guard.tmp is a protected file on the first fix attempt. Even if you can't remove it in step 5 you can kill it when the user is in safe mode after step 6.

aimankay:

That !Submit folder is also part of one version of this hijack and needs deleted. ONce you reboot in step 6...open killbox and add that guard.tmp file to be deleted on reboot.

Quote:
When you have asked me to save the registry then do you mean the whole registry or just the:
The WHOLE registry. Your editing a key and we want to make sure you have a backup copy in case you make a mistake and trash the registry.

Quote:
I had sensed that azaol1931.dll and ijxwan.dll were responsible for some of the problems and tried to delete them earlier but couldn't succede. Is there any particular way to delete these files?
Yes in step 5...delete on reboot process.

C:\ied_s7.cab <---delete this file
MicroBell is offline  
Old 12-22-2004, 08:55 AM   #5
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


Thanks for all your efforts.

I tried KillBox again but it didn't work so I just moved on and deleted IEXPLORER.EXE na npvcbkpq.exe. I also deleted the ModuleUsage in registry after backing up the registry.

Then I tried to delete:
C:\WINDOWS\system32\ijxwan.dll in KillBox but the message appeared saying this file doesn't exist. Here I should mention that since yesterday I haven't switched off my computer but then today I was unable to connect to Internet. It's been happening since this spyware attack. Therefore, everytime it happens I used to switch off my computer but this time I tried logging off the computer and then I was able to connect to internet. I hope it is not the same as reboot of a computer. or is it? Killbox can't delete C:\WINDOWS\system32\azaol1931.dll

I rebooted in Safe mode wanting to delete all the three guard.tmp, azaol1931.dll and ijxwan.dll but they were not present so I completed all the steps required. MY HJT doesn't show any 69.20.16.183 ieautosearch so I assume its working but I ran Adware SE and it showed 4 new critical objects. I went to the system32 folder and listed directory according to last modified and it showed me few new dll's and guard.tmp. I managed to delete one of the dll through Adware but I can't delete this other dll and guard.tmp. I have repeated step 5 to 8 few times and every time I had to reboot as step 8 requires it.

Anyhow, I have installed new version of AVG and it detected a completely new dll which was a bit older. I have deleted that dll. Apart from that I have the following dll's which changed name recently:

wpa.dbl
cmmdlg32.dll
l0j80a1ued.dll
( I think this one is the main culprit together with guard.tmp I will try to post them if I found the link to paste the files. File attachement doesn't allow me to attach saying they are invalid files)
mmxoci.dll
lvnq0955e.dll
guard.tmp


From time to time I also get a message in a "RUNDLL message window " An exception occurred while trying to run ""C:|WINDOWS\system32\guard.tmp",UMonitor" I don't know what it is all about.

Below is the new log and I haven't rebooted my computer.


Option 3



Module information for 'rundll32.exe'
MODULE BASE SIZE PATH
rundll32.exe 1000000 40960 C:\WINDOWS\system32\rundll32.exe 5.1.2600.0 (xpclient.010817-1148) Run a DLL as an App
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 77cc0000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-1148) Remote Procedure Call Runtime
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
guard.tmp 10000000 479232 C:\WINDOWS\system32\guard.tmp
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpclient.010817-1148) Common Controls Library
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
ole32.dll 771b0000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-1148) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
oledlg.dll 74d30000 131072 C:\WINDOWS\system32\oledlg.dll 1.0 (XPClient.010817-1148) Microsoft Windows(TM) OLE 2.0 User Interface Support
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
urlmon.dll 760f0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) OLE32 Extensions for Win32
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
WININET.dll 76200000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Extensions for Win32
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
NETAPI32.dll 71c20000 323584 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\system32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\system32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
sensapi.dll 722b0000 20480 C:\WINDOWS\system32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL


Option 5



Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 450560 C:\WINDOWS\system32\winlogon.exe 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon Application
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 77cc0000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-1148) Remote Procedure Call Runtime
AUTHZ.dll 76cc0000 65536 C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.0 (xpclient.010817-1148) Authorization Framework
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
NDdeApi.dll 75940000 28672 C:\WINDOWS\system32\NDdeApi.dll 5.1.2600.0 (xpclient.010817-1148) Network DDE Share Management APIs
PROFMAP.dll 75930000 40960 C:\WINDOWS\system32\PROFMAP.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
NETAPI32.dll 71c20000 323584 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
REGAPI.dll 76bc0000 57344 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.0 (xpclient.010817-1148) Registry Configuration APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
SETUPAPI.dll 76670000 933888 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
sfc_os.dll 76c60000 167936 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
WINTRUST.dll 76c30000 176128 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
ole32.dll 771b0000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-1148) Microsoft OLE for Windows
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
MSGINA.dll 75970000 987136 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon GINA DLL
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpclient.010817-1148) Common Controls Library
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\system32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
odbcint.dll 1f850000 90112 C:\WINDOWS\system32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
SHSVCS.dll 76bd0000 122880 C:\WINDOWS\system32\SHSVCS.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Services Dll
sfc.dll 76bb0000 16384 C:\WINDOWS\system32\sfc.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
WINSCARD.DLL 723d0000 106496 C:\WINDOWS\system32\WINSCARD.DLL 5.1.2600.0 (xpclient.010817-1148) Microsoft Smart Card API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\system32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\system32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
cscdll.dll 76600000 110592 C:\WINDOWS\system32\cscdll.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
WlNotify.dll 75950000 102400 C:\WINDOWS\system32\WlNotify.dll 5.1.2600.0 (XPClient.010817-1148) Common DLL to receive Winlogon notifications
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
msv1_0.dll 76d10000 118784 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Authentication Package v1.0
cscui.dll 76620000 319488 C:\WINDOWS\system32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
l0j80a1ued.dll 10000000 479232 C:\WINDOWS\system32\l0j80a1ued.dll
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
oledlg.dll 74d30000 131072 C:\WINDOWS\system32\oledlg.dll 1.0 (XPClient.010817-1148) Microsoft Windows(TM) OLE 2.0 User Interface Support
urlmon.dll 760f0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) OLE32 Extensions for Win32
WININET.dll 76200000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Extensions for Win32
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
wldap32.dll 76f60000 180224 C:\WINDOWS\system32\wldap32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
ATL.DLL 76b20000 86016 C:\WINDOWS\system32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\system32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
sxs.dll 75e90000 659456 C:\WINDOWS\system32\sxs.dll 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.42
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.42
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA provider
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper


Notify.txt


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\l0j80a1ued.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

VX2 Finder


Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---ScCertProp
Keys Under Notify---Schedule
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---termsrv
Keys Under Notify---ThemeManager
Keys Under Notify---wlballoon


Guardian Key--- is called:

User Agent String---
{38A42928-58EC-4C7A-9B7C-16DD0652C531}


HJT Logfile

Logfile of HijackThis v1.99.0
Scan saved at 16:40:09, on 22/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\notepad.exe
C:\Software\Avant\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.hotmail.com/
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - https://www.pakdata.com/download/PDMSInstaller.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - https://www.pakdata.com/download/urduplugin.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

Addition...

I have just checked HJT again and autosearch came back again and a new browser window opened recently.
aimankay is offline  
Old 12-22-2004, 06:16 PM   #6
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Well...as your using adware and such to delete dlls and things...it sounds like your not following the instructions carefully. You can not deviate from the order of things..as if you do...you stay reinfected. You still have the infection in the system. Let's try this again.

OK...Please note this is a new type of hijack and may take a few trys (hoping not) to remove it. If you have any questions before a step...ask please. Do NOT use any other programs to remove files unless asked to in the fix.

1. Run VX2Finder(126) again.

2. Run Cleanup and clean ALL temp folders. Say NO when it asks you to reboot/logoff. Check your Downloaded Program Files folder for any program that you do not recongized and remove anything in question.

3. Delete the following files::

**Skip this Section as I'll address it below**

C:\WINDOWS\System32\******** <<< If it exsists!

**Note** Use KILLBOX to delete if they give you trouble. If you still can’t remove this file..then add it below in step 5 to be removed on reboot.

4. Open regedit......start....run...type in regedit. Once open click file...export and save a copy of the registy somewere as a back up. Once done navigate to this key...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]

Find the entry key for l0j80a1ued.dll file...highlight it...and click delete. Delete the ThemeManager folder. Close regedit.

5. Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) and "Unload Explorer Shell" Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

**Note** Some of these files may already be gone.

C:\WINDOWS\system32\l0j80a1ued.dll
C:\WINDOWS\system32\cmmdlg32.dll
C:\WINDOWS\system32\mmxoci.dll
C:\WINDOWS\system32\lvnq0955e.dll
C:\WINDOWS\system32\ijxwan.dll
C:\WINDOWS\system32\guard.tmp


6. On the reboot hit the F8 key to enter safe mode.

7. Run hijackthis and have it do a scan. Fix the following entrys..

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch


Close Hijack

Now run Run Hoster to reset/restore your hosts file.

Now..Check for that C:\WINDOWS\system32\guard.tmp file. It's still there then open KILLBOX...paste the file in the box and select KILL. If it gives you an error...then check the box KILL on REBOOT...click KILL..it will say Reboot Now..select NO..then close KILBOX and proceed below.

Run Cleanup again and clean everything. Say YES when it asks you to reboot.

8. Reboot into normal mode..run hijackthis again and check for those 01 entrys. They should be gone. If not....open C:\Windows\System32 folder and sort the files by date. There will be 2 new dlls.

**Note** If your first attempt failed..repeat the removal process using the 2 new dlls filenames that were created and paste those into KILLBOX in step 5 and continue to following the procedures from there. Remember….don’t reboot until you delete those files..otherwise the filename will change again. If nothing works….then located the 2 new dlls and Post them here along with a new set of logs from PV and notify.txt Also post a fresh hijackthis log.

If the removal was successful please reboot and post another hijackthis log so we can confirm!

Good Luck!
MicroBell is offline  
Old 12-22-2004, 11:31 PM   #7
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


I used Adware once I had completed all the steps that are mentioned here just to check if all the spyware is eliminated. Anyhow, I won't do it again.

I have completed step 1 and 2 and skipped 3. Also the entry key for l0j80a1ued.dll was inside that ThemeManager so I deleted that first and then deleted the whole ThemeManager folder.

In step 5 I am having the same problem again that I cannot delete the following files. Is there anywhere else where this program is used because everytime I try to delete it using Killbox it says that it's been used by some other program so can't delete.

C:\WINDOWS\system32\l0j80a1ued.dll
C:\WINDOWS\system32\lvnq0955e.dll

but I managed to delete others including:

C:\WINDOWS\system32\guard.tmp

but this one doesn't exist:

C:\WINDOWS\system32\ijxwan.dll

Shall I proceed to Step 6 and reboot when I haven't deleted those two important dll files?

I have also found ThemeManager in

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\ThemeManager

It has the following dll

%SystemRoot%\Resources\themes\Luna\Luna.msstyles


I wonder if I can delete this folder too?

I have checked the Registry again for l0j80a1ued.dll and it keeps coming back in the following:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
aimankay is offline  
Old 12-23-2004, 02:43 AM   #8
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
In step 5 when using killbox and you put the files path into the box...did you tick the box that says "Delete on Reboot" for each file? It doesn't matter if the files in use...as KILLBOX won't try to delete it until the system is rebooted...and will delete it when it's not in use.

If your simply putting the path in there and hit KILL it will error as the file is in use. Anyway..yes..continue on. Once you finish though...treat it as a failed attempt and use my instructions in RED.


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\ThemeManager] <=== LEAVE THIS BE...Delete NOTHING!!!! It contains your desktop and microsofts themes.

We are only dealing with the entrys in the NOTIFY KEY...nothing else

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager <==thats the only folder we are after that needs deleted after you remove that random DLL thats inside.
MicroBell is offline  
Old 12-23-2004, 04:58 AM   #9
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


I think I hadn't allowed Delete on Reboot button but while I was checking through somethings I came across the similar button on HijackThis and managed to delete both the files.

My computer is not having any problem even though I am connected to the internet.

I ran VX2Finder, Clean, HJT quite a few times after reboot and it seems there is no problem.

I ran pv from the desktop just to double check but I am surprised that option 3 just opens a blank log while option 5 does bring a normal looking log. [b]Do I need to worry?[/n]
aimankay is offline  
Old 12-23-2004, 08:23 AM   #10
TSF Team, Emeritus
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,311
OS: Windows 98 & Windows XP Home/Pro

My System

Please post a new set of logs again (if PV #3 is empty, then it's a good sign). We want the HijackThis log, the PV log, notify.txt and VX2Finder logs again.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Old 12-23-2004, 02:30 PM   #11
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


It is Nice to hear that lack of Option 3 is a good thing :)

Here is the log again


HJT Log

Logfile of HijackThis v1.99.0
Scan saved at 22:22:15, on 23/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\IEPopupKiller\PopupKillerTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Software\Avant\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IEPopupKillerBHO.CIEPopupKillerBHO - {31801B7B-6A29-43A2-A54F-A8920FA70F9C} - C:\Program Files\IEPopupKiller\IEPopupKillerBHO.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - https://www.pakdata.com/download/PDMSInstaller.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - https://www.pakdata.com/download/urduplugin.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

PV Log from Option 5

Module information for 'winlogon.exe'
MODULE BASE SIZE PATH
winlogon.exe 1000000 450560 C:\WINDOWS\system32\winlogon.exe 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon Application
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 77cc0000 479232 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.0 (XPClient.010817-1148) Remote Procedure Call Runtime
AUTHZ.dll 76cc0000 65536 C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.0 (xpclient.010817-1148) Authorization Framework
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
NDdeApi.dll 75940000 28672 C:\WINDOWS\system32\NDdeApi.dll 5.1.2600.0 (xpclient.010817-1148) Network DDE Share Management APIs
PROFMAP.dll 75930000 40960 C:\WINDOWS\system32\PROFMAP.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
NETAPI32.dll 71c20000 323584 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.0 (XPClient.010817-1148) Process Status Helper
REGAPI.dll 76bc0000 57344 C:\WINDOWS\system32\REGAPI.dll 5.1.2600.0 (xpclient.010817-1148) Registry Configuration APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\system32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
SETUPAPI.dll 76670000 933888 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
sfc_os.dll 76c60000 167936 C:\WINDOWS\system32\sfc_os.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
WINTRUST.dll 76c30000 176128 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
ole32.dll 771b0000 1155072 C:\WINDOWS\system32\ole32.dll 5.1.2600.0 (XPClient.010817-1148) Microsoft OLE for Windows
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
MSGINA.dll 75970000 987136 C:\WINDOWS\system32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon GINA DLL
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
COMCTL32.dll 77340000 569344 C:\WINDOWS\system32\COMCTL32.dll 5.82 (xpclient.010817-1148) Common Controls Library
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\system32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
odbcint.dll 1f850000 90112 C:\WINDOWS\system32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
SHSVCS.dll 76bd0000 122880 C:\WINDOWS\system32\SHSVCS.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Services Dll
sfc.dll 76bb0000 16384 C:\WINDOWS\system32\sfc.dll 5.1.2600.0 (xpclient.010817-1148) Windows File Protection
WINSCARD.DLL 723d0000 106496 C:\WINDOWS\system32\WINSCARD.DLL 5.1.2600.0 (xpclient.010817-1148) Microsoft Smart Card API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\system32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\system32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
cscdll.dll 76600000 110592 C:\WINDOWS\system32\cscdll.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
WlNotify.dll 75950000 102400 C:\WINDOWS\system32\WlNotify.dll 5.1.2600.0 (XPClient.010817-1148) Common DLL to receive Winlogon notifications
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
cscui.dll 76620000 319488 C:\WINDOWS\system32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
msv1_0.dll 76d10000 118784 C:\WINDOWS\system32\msv1_0.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Authentication Package v1.0
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\system32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA provider
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.42
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.42
sxs.dll 75e90000 659456 C:\WINDOWS\system32\sxs.dll 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
wbemprox.dll 74ef0000 40960 C:\WINDOWS\System32\wbem\wbemprox.dll 5.1.2600.0 (xpclient.010817-1148) WMI
wbemcomn.dll 75290000 229376 C:\WINDOWS\System32\wbem\wbemcomn.dll 5.1.2600.0 (xpclient.010817-1148) WMI
wbemsvc.dll 74ed0000 61440 C:\WINDOWS\System32\wbem\wbemsvc.dll 5.1.2600.0 (xpclient.010817-1148) WMI
fastprox.dll 75690000 598016 C:\WINDOWS\System32\wbem\fastprox.dll 5.1.2600.0 (xpclient.010817-1148) WMI

notify.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\j4p00e7meh.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

VX2Finder

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---crypt32chain
Keys Under Notify---cryptnet
Keys Under Notify---cscdll
Keys Under Notify---ScCertProp
Keys Under Notify---Schedule
Keys Under Notify---sclgntfy
Keys Under Notify---SensLogn
Keys Under Notify---termsrv
Keys Under Notify---Unimodem
Keys Under Notify---wlballoon


Guardian Key--- is called:

User Agent String---
{38A42928-58EC-4C7A-9B7C-16DD0652C531}
aimankay is offline  
Old 12-23-2004, 08:20 PM   #12
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
Click start..run...type in regedit. Navigate to the following key..

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]

Delete the entry for the j4p00e7meh.dll file and then delete the Unimodem folder. Close regedit.

Reboot..and check your C:\WINDOWS\system32\ folder for this file j4p00e7meh.dll or any other newly created DLL's and delete them if found. Report back your findings. If nothing is found...your log is clean.
MicroBell is offline  
Old 12-24-2004, 04:44 AM   #13
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


I had seen this dll earlier but I think was deleted during the earlier clean up. I deleted the entry from the registry that you mentioned and don't see the the file in system32 folder. Thanks very much.
aimankay is offline  
Old 12-24-2004, 08:10 AM   #14
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


Can you reboot and give us one more HJT log to be sure it's all done?
CTSNKY is offline  
Old 12-26-2004, 12:26 AM   #15
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


Thanks for all your hard work to clean my compuer. I hope you had a good christmas.

I have now run AVG and it always keep telling me that I have a x????.exe file in

C:\Documents and Settings\buddah\Application Data\

I couldn't see the file until I went to Folder -> Tools -> Folder Options -> View and unchecked "Hide protected operating system files" then I saw this file xpyoo.exe and I am not sure if I should delete it or not. There are two more files
C:\Documents and Settings\buddah\Application Data\GDIPFONTCACHEV1.DAT
C:\Documents and Settings\buddah\Application Data\desktop.ini

I wanted to know if I can delete these files. AVG says x????.exe is a Trojan horse Downloader Agent 3.AP

Further there are two more files in the following folders:

C:\Documents and Settings\buddah\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar.zip:\jar\archive.jar-2880d2c3-31e3cf97.zip:\BlackBox.class
C:\Documents and Settings\buddah\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar.zip:\jar\archive.jar-2880d2c3-31e3cf97.zip:\winmodem.exe


I don't know if I need this cache folder under Java so would it make any difference if I delete
xpyoo.exe and the cache folder completely now that I can see them.

My log of HJT is:

Logfile of HijackThis v1.99.0
Scan saved at 08:20:43, on 26/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\notepad.exe
C:\Software\Avant\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O17 - HKLM\System\CCS\Services\Tcpip\..\{F578BDFE-DAA5-42D6-888A-A9F4EC685D57}: NameServer = 195.92.195.95 195.92.195.94

Can I put these last two entries in the Ignore list of HJT as I don't know what are they?
aimankay is offline  
Old 12-26-2004, 01:53 AM   #16
TSF Security Team, Emeritus
 
MicroBell's Avatar
 
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,962
OS: Windows 7


Send a message via ICQ to MicroBell Send a message via MSN to MicroBell
O17 - HKLM\System\CCS\Services\Tcpip\..\{F578BDFE-DAA5-42D6-888A-A9F4EC685D57}: NameServer = 195.92.195.95 195.92.195.94

This entry may be your ISP providers IP for your PC. Make sure it's NOT associated with your ISP before you remove it.

C:\Documents and Settings\buddah\Application Data\GDIPFONTCACHEV1.DAT <---delete that file. Leave the Desktop.ini file alone as it's legit!!

For your Java issue...

1. From the Start button, click Settings > Control Panel
2. In the Control Panel, open the "Java Plug-in Control Panel"
3. Select the Cache Tab
4. Click the Clear button inside the Cache Tab, which will clear your JRE cache directory.

This should delete those files located in that directory. Use that Cleanup program to clean your temp folders. Update both XP and IE6 as both are outdated and your NOT protected. ONce done..please post an Entire hijackthis log.
MicroBell is offline  
Old 12-26-2004, 07:54 PM   #17
Registered Member
 
Join Date: Dec 2004
Posts: 25
OS: XP


Quote:
Originally Posted by MicroBell
Update both XP and IE6 as both are outdated and your NOT protected. ONce done..please post an Entire hijackthis log.
I have Explorer 6 and XP so how do I update them? I have deleted the other files and it seems all is clear for the time being.
aimankay is offline  
Old 12-26-2004, 07:56 PM   #18
TSF Team Emeritus, Security Team
 
CTSNKY's Avatar
 
Join Date: Aug 2004
Posts: 10,821
OS: Every Windows OS known to man


Make sure to update Windows and Internet Explorer at https://windowsupdate.microsoft.com.

Post a fresh HJT log!!
CTSNKY is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:16 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts