Tech Support Forum banner
Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
hey guys this is my first post on here

i think i got rid of most of the spyware on my comp with adaware and spysweeper. But i cant seem to get rid of clkoptimizer. I also notice that every time i reboot the stuff i deleted just keeps coming back. well take a look at the HJT and all help is greatly appreciated, thanks in advance!

Logfile of HijackThis v1.99.0
Scan saved at 8:38:34 PM, on 1/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\D-TOOLS\DAEMON.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\N20050308.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\HHKHGF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\MIRC\DOWNLOAD\STP\STP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.citi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [D066UUtility] c:\windows\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: hhkhgf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver/3rdPartyContent/dnastudios/harrypotter/wtinst.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-a.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://ky-asuka.ddo.jp:3030/kxhcm10.ocx

--------------------------------------------------

Thanks!
 

·
Premium Member
Joined
·
14,311 Posts
Welcome to TSF.

This is not good. Do the fixes first and then post the new log along with the other logs we requested (see below):

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\N20050308.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\HHKHGF.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - Startup: hhkhgf.exe
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...tter/wtinst.cab
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://ky-asuka.ddo.jp:3030/kxhcm10.ocx

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\N20050308.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\HHKHGF.EXE
C:\Program Files\Viewpoint\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Do this now and post them along with the updated HijackThis log in your next post:

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
VX2Finder http://www.greyknight17.com/spy/VX2Finder.exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
DllCompare http://www.greyknight17.com/spy/DllCompare.exe

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Run VX2Finder and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum.

4. Run DllCompare now and click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit ...), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

5. Go to C:\WINDOWS\SYSTEM\ and sort the files by date. Look for more recent created files and post them here. They are usually random named DLL files.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #3 ·
ok i got halfway down to the look2me uninstaller part. I clicked on it and i guess my IE settings were screwed up somehow, it restricted me from downloading the file. Then i tried changing back to internet (it was on restricted) and it didnt do anything. I tried using firefox but no luck. I finally had to customize the settings of the restricted site zone and it worked, but then it said my IP already accessed the download page twice and that that was the limit for the day, that i had to go back tomorrow to download. Shall i proceed without using look2me uninstaller or wait till tomorrow?

All help is much appreciated
 

·
Registered
Joined
·
6 Posts
ok either my computer is really retarded or their is something wrong with the look2me uninstaller web site. I still cant get it, it wont let me download it because it says that i have logged in twice with my ip in the same day. it said the same thing yesterday, so i waited a day and it still gives me this bs. im gonna go ahead and uninstall everything else, then come back to this.

ok here are the logs

===================================================
Log for VX2Finder

Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---
{5A2E13AF-31AD-4DFA-95A6-32F802E5D532}
===================================================
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mktcp.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mccans32.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\pswv220.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\wzwizdll.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\sldoc401.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\hul0404.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\cftdll.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mcvci70.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mgls31.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mdrle32.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\movbvm50.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\stmpax~1.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\nbrses.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\vhcodec.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\plpwave.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rdcrtp.dll Sat Jan 22 2005 5:31:54p ..S.R 222,568 217.35 K
________________________________________________

1,062 items found: 1,062 files (16 H/S), 0 directories.
Total of file sizes: 229,687,943 bytes 219.05 M

--------------------End log---------------------
======================================================
C:\WINDOWS\SYSTEM\ ~~~~random named DLL files

rmoc3260.dll
pndx5016.dll
pndx5032.dll
pncrt.dll
Cftdll.dll
Hul0404.dll
Mccans32.dll
mcvci70.dll
mdrle32.dll
mgls32.dll
mgls31.dll
mktcp.dll
Movbvm50.dll
nbrses.dll
pccrt.dll
plpwave.dll
pswv220.dll
RDCRTP.dll
Sldoc401.dll
stmpaxctrl.dll
Tzolhelp.dll
wzwizdll.dll

all these files go from today to the 22nd, the next file after this comes up in last december
=======================================================
C:\WINDOWS\Downloaded Program Files\

{33363249-0000-0010-8000-00AA00389B71} - the description for this is <unknown>. I'll but the CodeBase since thats the only real value it gives http://codecs.microsoft.com/codecs/i386/i263_32.cab

CCMPGui Class

ID: {7CF052DE-C74F-421B-B04A-3B3037EF5887}
Description: CCMP Module

CDToolCtrl Class

ID: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D}
Description: CD Tool Module

eshare communications NetAgent Customer ActiveX Control Version 2

ID: {2C8EEB84-6D60-11D4-BD64-0050048A82BF}
description: eshare communications

Java Runtime Environment 1.3.1_02~ status says <damaged> if that means anything
Java Runtime Environment 1.3.1_02~ status says <damaged> if that means anything
MSN Chat Control 4.0
Shockwave Flash Object
Update Class
Yahoo! Audio Conferencing
Yahoo! Pool 2~ status says <damaged> if that means anything
======================================================

C:\Program Files\Internet Explorer

their is no download folder here, so i'll just list the files i think look weird

Dw15.exe
Hmmapi.dll

i dont know if you wanted me to post stuff in the subfolders that are suspicious looking, just let me know if so in the next post.
===================================================

===================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 4:52:13 PM, on 1/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\WWVWUQ.EXE
C:\PROGRAM FILES\MIRC\DOWNLOAD\STP\STP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.citi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O4 - HKLM\..\Run: [D066UUtility] c:\windows\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wwvwuq.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-a.mhi.aol.com/netagent/objects/custappx2.CAB


End of KRC HijackThis Analyzer Log.
====================================================================

ok thats about it. Thanks so much for your help!
 

·
TSF Team Emeritus, Security Team
Joined
·
10,822 Posts
Please print out the instructions here (or save it in Notepad) so that you can follow along more easily.

This hijack may take a couple of tries to remove it. If you have any questions during this process, please ask us (just don't restart or shutdown - unless the instructions say so).

1. Run KillBox now.
a) Click on the 'Replace on Reboot' button and check the box that says 'Use Dummy'.
b) Check 'End Explorer Shell While Killing File.'
c) Check 'Unregister .dll Before Deleting' for each file (if it's available).

Copy and paste each of the following (one by one) into the top line and hit the X button for each one (when it asks you if you want to reboot, choose NO for all of them):

c:\recycler\desktop.ini
c:\WINDOWS\system\guard.tmp
C:\WINDOWS\SYSTEM\cftdll.dll
C:\WINDOWS\SYSTEM\hul0404.dll
C:\WINDOWS\SYSTEM\mccans32.dll
C:\WINDOWS\SYSTEM\mcvci70.dll
C:\WINDOWS\SYSTEM\mdrle32.dll
C:\WINDOWS\SYSTEM\mgls31.dll
C:\WINDOWS\SYSTEM\mgls32.dll
C:\WINDOWS\SYSTEM\mktcp.dll
C:\WINDOWS\SYSTEM\movbvm50.dll
C:\WINDOWS\SYSTEM\nbrses.dll
C:\WINDOWS\SYSTEM\pccrt.dll
C:\WINDOWS\SYSTEM\plpwave.dll
C:\WINDOWS\SYSTEM\pncrt.dll
C:\WINDOWS\SYSTEM\pndx5016.dll
C:\WINDOWS\SYSTEM\pndx5032.dll
C:\WINDOWS\SYSTEM\pswv220.dll
C:\WINDOWS\SYSTEM\rdcrtp.dll
C:\WINDOWS\SYSTEM\rmoc3260.dll
C:\WINDOWS\SYSTEM\sldoc401.dll
C:\WINDOWS\SYSTEM\stmpaxctrl.dll
C:\WINDOWS\SYSTEM\Tzolhelp.dll
C:\WINDOWS\SYSTEM\vhcodec.dll
C:\WINDOWS\SYSTEM\wzwizdll.dll
C:\WINDOWS\WWVWUQ.EXE


Delete the following files manually:

Under C:\Program Files\Internet Explorer\ delete: - dw15.exe

2. Restart and hit the F8 key (repeatedly until a menu shows up) to enter Safe Mode.

3. Run HijackThis and do a scan. Check and fix the following:

(Any of the 01 hijackers that may have returned.)

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wwvwuq.exe

4. Close HijackThis and run Hoster. Click 'Restore Original Hosts' and click OK.

Run CleanUp! program again and clean everything. Say Yes when it asks you to reboot/logoff.

5. Reboot into Normal Mode and run HijackThis. See if the O1 entries are still in HijackThis. If they are still there, go to c:\windows\system\ and sort the files by date. There will/should be two new DLLs.
-- If those O1 entries do return in HijackThis, paste those two files into KillBox (see Step 1 above) and kill them. Just follow through the same procedures (Steps 2-5) like before. Make sure NOT to reboot until you deleted those two files (otherwise the names will change again).

After that's done (or if you want more help), give us a new set of updated logs (DllCompare, VX2Finder, HijackThis).
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #8 · (Edited)
ok everytime i use kill box, i get a "This program has performed an illegal operation and will be shut down" i tried different files and for each one it gave me an end task error. Maybe i should do this in safe mode? btw, i didnt see any recycler folder, maybe its C:\recycled ??? thanks

ok actually C:\WINDOWS\SYSTEM\mgls32.dll doesnt work, neither do the first two. sorry bout that
 

·
TSF Team Emeritus, Security Team
Joined
·
10,822 Posts
Yes, please do try it in Safe Mode. You can try the Recycled folder for the first file, but I would imagine you won't find that one. Skip it.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #10 ·
ok i think its looking good!! :jackson:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,062 items found: 1,062 files, 0 directories.
Total of file sizes: 229,465,431 bytes 218.83 M

--------------------End log---------------------

Logfile of HijackThis v1.99.0
Scan saved at 8:15:03 PM, on 1/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\D-TOOLS\DAEMON.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.citi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [D066UUtility] c:\windows\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~5\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-a.mhi.aol.com/netagent/objects/custappx2.CAB
=====================================================
Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---
{5A2E13AF-31AD-4DFA-95A6-32F802E5D532}
=====================================================

their were no O1 hijackers that i had to fix just to let you know
 

·
TSF Team Emeritus, Security Team
Joined
·
10,822 Posts
Your log is clean!! If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

:wave:
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top