Jump to content

Archived

This topic is now archived and is closed to further replies.

Signman

[solved]popups Galore

Recommended Posts

Can someone have a look at my bosses computer log please and advise. We have already run and fixed spyware .

 

Logfile of HijackThis v1.99.0

Scan saved at 11:29:37 AM, on 12/31/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

C:\WINNT\System32\svchost.exe

C:\FOLDER~1\FGJR.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe

C:\WINNT\system32\wvwwku.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\SED\SED.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Simply Transparent 7\SimplyTransparent.exe

C:\Program Files\AdDestroyer\AdDestroyer.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINNT\system32\rundll32.exe

C:\Junk\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

O1 - Hosts: 69.20.16.183 ieautosearch

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [iE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB

O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvskt32.exe

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

O4 - HKLM\..\Run: [sESync] "C:\Program Files\SED\SED.exe"

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: Simply Transparent.lnk = C:\Program Files\Simply Transparent 7\SimplyTransparent.exe

O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll

O12 - Plugin for .asx: C:\WINNT\QFNONL\Nscape32\Program\PLUGINS\npdsplay.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Wallingdistributing.com

O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: FGJR - WinAbility® - C:\FOLDER~1\FGJR.EXE

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Share this post


Link to post
Share on other sites

Download LSPfix from here

On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "aklsp.dll" and "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

 

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

 

O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvskt32.exe

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

O4 - HKLM\..\Run: [sESync] "C:\Program Files\SED\SED.exe"

O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe

 

O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

 

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

 

C:\winnt\system32\kalvskt32.exe<----file

 

C:\PROGRA~1\VBOUNCER<----folder

C:\Program Files\SED<----folder

C:\Program Files\AdDestroyer<----folder

 

Reboot normally.

 

Download and run VX2Finder(.exe).

http://www.downloads.subratam.org/VX2Finder.exe

 

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

 

Download these two tools:

 

http://www.downloads.subratam.org/DllCompare.exe

&

http://www.downloads.subratam.org/KillBox.exe

 

Run Dllcompare by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot because all the filenames will change otherwise.

 

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Share this post


Link to post
Share on other sites

ok, here is VX2 Finder log...

 

Log for VX2.BetterInternet File Finder (ALL)

 

Files Found---

 

Additional Files---

 

Keys Under Notify---

AdminDebug

crypt32chain

cryptnet

cscdll

sclgntfy

SensLogn

wzcnotif

 

 

Guardian Key--- is called:

 

Guardian Key--- :

 

User Agent String---

{9C5492EA-AE3F-4154-87D2-27D2C86CB773}

 

 

DLL Compare log.....

* DLLCompare Log version(1.0.0.127)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

 

C:\WINNT\SYSTEM32\mvpml9~1.dll Fri Dec 31 2004 11:15:14a ..S.R 224,256 219.00 K

C:\WINNT\SYSTEM32\i8loli~1.dll Fri Dec 31 2004 11:39:28a ..S.R 223,677 218.43 K

C:\WINNT\SYSTEM32\p8r40i~1.dll Fri Dec 31 2004 2:05:22p ..S.R 223,677 218.43 K

________________________________________________

 

1,438 items found: 1,438 files (3 H/S), 0 directories.

Total of file sizes: 292,185,821 bytes 278.65 M

 

Administrator Account = True

 

AppInit_DLLs value = NVDESK32.DLL (not hidden)

--------------------End log---------------------

 

 

Find It Log........

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

Find.bat is running from: C:\Documents and Settings\administrator\Desktop\Utilities\KillBox\FindIt\Find It NT-2K-XP

 

------- System Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

12/31/2004 02:05p 223,677 p8r40i9qe8.dll

12/31/2004 11:39a 223,677 i8loli3318.dll

12/31/2004 11:15a 224,256 mvpml9711.dll

12/13/2001 02:12p <DIR> dllcache

3 File(s) 671,610 bytes

1 Dir(s) 28,894,396,416 bytes free

 

------- Hidden Files in System32 Directory -------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

09/17/2003 09:46a 1,893,648 kyf.dat

12/13/2001 02:31p <DIR> GroupPolicy

12/13/2001 02:26p 271 desktop.ini

12/13/2001 02:26p 21,692 folder.htt

12/13/2001 02:12p <DIR> dllcache

12/07/2000 04:51p 51,200 PackethSvc.exe

4 File(s) 1,966,811 bytes

2 Dir(s) 28,894,363,648 bytes free

 

---------- Files Named "Guard" -------------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

12/31/2004 02:10p 223,677 guard.tmp

1 File(s) 223,677 bytes

0 Dir(s) 28,894,330,880 bytes free

 

--------- Temp Files in System32 Directory --------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

12/31/2004 02:10p 223,677 guard.tmp

1 File(s) 223,677 bytes

0 Dir(s) 28,894,298,112 bytes free

 

---------------- User Agent ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{9C5492EA-AE3F-4154-87D2-27D2C86CB773}"=""

 

 

------------ Keys Under Notify ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AdminDebug]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINNT\\system32\\i8loli3318.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

 

------------------ Locate.com Results ------------------

 

C:\WINNT\SYSTEM32\

mvpml9~1.dll Fri Dec 31 2004 11:15:14a ..S.R 224,256 219.00 K

i8loli~1.dll Fri Dec 31 2004 11:39:28a ..S.R 223,677 218.43 K

p8r40i~1.dll Fri Dec 31 2004 2:05:22p ..S.R 223,677 218.43 K

 

3 items found: 3 files, 0 directories.

Total of file sizes: 671,610 bytes 655.87 K

 

------------ Strings.exe Qoologic Results ------------

 

C:\WINNT\system32\eieeap.dll: updates.qoologic.com

C:\WINNT\system32\hlhhqu.exe: updates.qoologic.com

C:\WINNT\system32\clccpu.dll: updates.qoologic.com

 

-------------- Strings.exe Aspack Results -------------

 

C:\WINNT\system32\pwppvu.dat: .aspack

C:\WINNT\system32\wvwwku.exe: .aspack

C:\WINNT\system32\NSOID3.dll: .aspack

C:\WINNT\system32\jesterss.dll: .aspack

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hkhhng.exe: .aspack

 

----------------- HKLM Run Key ------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"

"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"

"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

"nwiz"="nwiz.exe /install"

"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"

"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"

"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"

"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"

"Narrator"="C:\\WINNT\\system32\\wvwwku.exe"

"kalvsys"="C:\\winnt\\system32\\kalvskt32.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

 

Share this post


Link to post
Share on other sites

Might take a few posts to rid you of this, but stick with it :).

 

Stay offline when doing the following fix.

 

Open killbox and paste in C:\WINNT\SYSTEM32\mvpml9~1.dll

 

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

 

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

 

Repeat the above for each of these;

 

C:\WINNT\SYSTEM32\i8loli~1.dll

C:\WINNT\SYSTEM32\p8r40i~1.dll

C:\WINNT\System32\Guard.tmp

 

On that last file, close all programs and Reboot your computer.

 

Post another log from dllcompare please.

Share this post


Link to post
Share on other sites

Thanks Crunchie, will do this first thing Tuesday morning when we go back to work from holiday. Happy New Year!

Share this post


Link to post
Share on other sites

Happy new year to you too :).

 

It is very important that the PC not be shut down or the file names will change. If you have rebooted you will have to post another dllcpmpare log etc. Basically, the same again :).

Share this post


Link to post
Share on other sites

OK Crunchie, were attempting to follow your directions but I don't quite understand what you are asking me to do.

Open killbox and paste in C:\WINNT\SYSTEM32\mvpml9~1.dll

 

 

Do I copy this file from this forum reply and paste it into Killbox or do I search the hard drive and find it, or can I just type it in? I have already looked and this file is not on the hard drive. Waiting for your reply. :blink:

Share this post


Link to post
Share on other sites

My latest DLL Compare log........

 

 

* DLLCompare Log version(1.0.0.127)

Files Found that Windows does not See or cannot Access

*Not everything listed here means you are infected!

________________________________________________

 

O^E says: "There were no files found :)"

________________________________________________

 

1,437 items found: 1,437 files, 0 directories.

Total of file sizes: 291,290,702 bytes 277.79 M

 

Administrator Account = True

 

AppInit_DLLs value = NVDESK32.DLL (not hidden)

--------------------End log---------------------

Share this post


Link to post
Share on other sites

Cool. Now we need to get rid of the qoologic trojan.

Run Pocket Killbox again and click on Tools > Hosts File and when the file opens in Notepad, remove the below lines:

 

O1 - Hosts: 69.20.16.183 auto.search.msn.com

O1 - Hosts: 69.20.16.183 search.netscape.com

O1 - Hosts: 69.20.16.183 ieautosearch

 

Save your changes and close the Notepad file.

 

Next paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

 

C:\WINNT\system32\eieeap.dll

C:\WINNT\system32\hlhhqu.exe

C:\WINNT\system32\clccpu.dll

C:\WINNT\system32\pwppvu.dat

C:\WINNT\system32\wvwwku.exe

C:\WINNT\system32\NSOID3.dll

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hkhhng.exe

 

Reboot afterwards if the files are successfully deleted.

 

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

 

please post another Findit log. Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Share this post


Link to post
Share on other sites

Thanks for your patients Crunchie!....................here is the latest FindIt log...

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

Find.bat is running from: C:\Documents and Settings\administrator\Desktop\Utilities\Find It\Find It NT-2K-XP

 

------- System Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

12/13/2001 02:12p <DIR> dllcache

0 File(s) 0 bytes

1 Dir(s) 28,882,796,544 bytes free

 

------- Hidden Files in System32 Directory -------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

09/17/2003 09:46a 1,893,648 kyf.dat

12/13/2001 02:31p <DIR> GroupPolicy

12/13/2001 02:26p 271 desktop.ini

12/13/2001 02:26p 21,692 folder.htt

12/13/2001 02:12p <DIR> dllcache

12/07/2000 04:51p 51,200 PackethSvc.exe

4 File(s) 1,966,811 bytes

2 Dir(s) 28,882,763,776 bytes free

 

---------- Files Named "Guard" -------------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

01/05/2005 11:10a 56 Guard.tmp

1 File(s) 56 bytes

0 Dir(s) 28,882,731,008 bytes free

 

--------- Temp Files in System32 Directory --------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

01/05/2005 11:10a 56 Guard.tmp

1 File(s) 56 bytes

0 Dir(s) 28,882,698,240 bytes free

 

---------------- User Agent ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"{9C5492EA-AE3F-4154-87D2-27D2C86CB773}"=""

 

 

------------ Keys Under Notify ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ExtShellViews]

"Asynchronous"=dword:00000000

"DllName"="C:\\WINNT\\system32\\p8r40i9qe8.dll"

"Impersonate"=dword:00000000

"Logon"="WinLogon"

"Logoff"="WinLogoff"

"Shutdown"="WinShutdown"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

 

------------------ Locate.com Results ------------------

 

No matches found.

 

------------ Strings.exe Qoologic Results ------------

 

C:\WINNT\system32\hlhhqu.exe: updates.qoologic.com

C:\WINNT\system32\eieeap.dll: updates.qoologic.com

C:\WINNT\system32\clccpu.dll: updates.qoologic.com

 

-------------- Strings.exe Aspack Results -------------

 

C:\WINNT\system32\pwppvu.dat: .aspack

C:\WINNT\system32\wvwwku.exe: .aspack

C:\WINNT\system32\jesterss.dll: .aspack

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hkhhng.exe: .aspack

 

----------------- HKLM Run Key ------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"

"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"

"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

"nwiz"="nwiz.exe /install"

"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"

"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"

"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"

"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"

"Narrator"="C:\\WINNT\\system32\\wvwwku.exe"

"kalvsys"="C:\\winnt\\system32\\kalvskt32.exe"

"AutoLoaderAproposClient"="\"C:\\WINNT\\system32\\Cxtpls_loader.exe\" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded"

"p4mW37i"="pcpml4r.exe"

"AutoUpdater"="\"C:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

 

 

Results of Silent Runners..

"Silent Runners.vbs", revision 29, launched at: 10:25

Output limited to non-default values, except where indicated by "{++}"

Operating System: Windows 2000

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "ctfmon.exe" [MS]

"Y356RXG6W" = "paupmsg.exe" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]

"MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]

"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"HPDJ Taskbar Utility" = "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe" ["HP"]

"PestPatrol Control Center" = "C:\PROGRA~1\PESTPA~1\PPControl.exe" [null data]

"PPMemCheck" = "C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data]

"CookiePatrol" = "C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [null data]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]

"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]

"IE Menu Extension toolbar" = "rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB" [MS]

"Narrator" = "C:\WINNT\system32\wvwwku.exe" [null data]

"kalvsys" = "C:\winnt\system32\kalvskt32.exe" [file not found]

"AutoLoaderAproposClient" = ""C:\WINNT\system32\Cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded" [file not found]

"p4mW37i" = "pcpml4r.exe" [null data]

"AutoUpdater" = ""C:\Program Files\AutoUpdate\AutoUpdate.exe"" [null data]

 

HKLM\Software\Microsoft\Active Setup\Installed Components\

"1e38c92b-c442-4990-b3c1-55610712025d\(Default)" = (no title provided)

\StubPath = "C:\WINNT\system32\hlhhqu.exe" [null data]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> CLSID InProcServer32 resolves to: "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]

"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]

"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]

"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]

"{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]

"{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CMFFld80.dll" ["Corel Corporation"]

"{8E524B0D-04F0-11D1-B74A-00A0C90646A4}" = "IconFactTemp.NSIconHandlerFactory"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]

"{A2AC368A-F883-11D0-B745-00A0C90646A4}" = "NSFiltManDll.FiltManCom"

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CNSFlt80.dll" ["Corel Corporation"]

"{B63FCD5A-2396-11D1-B762-00A0C90646A4}" = (no title provided)

-> CLSID InProcServer32 resolves to: "C:\Corel\Graphics8\programs\CMFFnd80.dll" ["Corel Corporation"]

"{661825E5-B9A4-4D3E-8B74-3B6B63C32A80}" = "Shell Extensions for The Font Creator Program"

-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\HIGH-L~1\FONTCR~1\FCPSHL.dll" [file not found]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> CLSID InProcServer32 resolves to: "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> CLSID InProcServer32 resolves to: "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealPlayer\rpplugins\ierpplug.dll" ["RealNetworks"]

"{42083C14-9CBF-4FA7-AE0F-8B642862644F}" = (no title provided)

-> CLSID InProcServer32 resolves to: "C:\WINNT\system32\msdemui.dll" [file not found]

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "NVDESK32.DLL" [file not found]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! "ExtShellViews\DLLName" = "C:\WINNT\system32\p8r40i9qe8.dll" [file not found]

 

 

Startup items in "Administrator" & "All Users" startup folders:

---------------------------------------------------------------

 

C:\Documents and Settings\administrator\Start Menu\Programs\Startup

"Simply Transparent" -> shortcut to: "C:\Program Files\Simply Transparent 7\SimplyTransparent.exe" ["JonathanGrimes"]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"strings.exe" [null data]

 

 

Enabled Scheduled Tasks:

------------------------

 

"Norton AntiVirus - Scan my computer - Administrator" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE" ["America Online, Inc."]

FGJR, FGJR, "C:\FOLDER~1\FGJR.EXE" ["WinAbility®"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe" [null data]

Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]

Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]

NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]

 

 

----------

This report excludes default entries except where indicated.

To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

----------

Waiting for your reply.

Share this post


Link to post
Share on other sites

It's being stubborn.

 

Run Pocket Killbox again and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

 

C:\WINNT\System32\Guard.tmp

C:\WINNT\system32\hlhhqu.exe

C:\WINNT\system32\eieeap.dll

C:\WINNT\system32\clccpu.dll

C:\WINNT\system32\pwppvu.dat

C:\WINNT\system32\wvwwku.exe

C:\WINNT\system32\Cxtpls_loader.exe

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\hkhhng.exe

 

Reboot afterwards if the files are successfully deleted.

 

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

 

once rebooted open Killbox again and Copy & Paste the path to the Desktop.ini for recycle bin.

ie:

 

C:\RECYCLER\Desktop.ini

 

Click Red X to delete it.

 

Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.

 

Run VX2Finder and click the *Click to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.

 

Open regedit and go to *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify* and delete the *ExtShellViews* sub-key.

NOTE. Please back up the *notify* key by exporting it to a safe location. Call it notify.reg.

Share this post


Link to post
Share on other sites

OK, followed your directions.....

Killbox says that C:\WINNT\system32\Cxtpls_loader.exe,

 

C:\Windows\System32\Guard.tmp,

C:\RECYCLER\Desktop.ini

does not seem to exist. Do I need to run another scan to verify?

Share this post


Link to post
Share on other sites

New FindIt Log.....

 

 

Warning! This utility will find legitimate files in addition to malware.

Do not remove anything unless you are sure you know what you're doing.

 

Find.bat is running from: C:\Documents and Settings\administrator\Desktop\Utilities\Find It\Find It NT-2K-XP

 

------- System Files in System32 Directory -------

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

12/13/2001 02:12p <DIR> dllcache

0 File(s) 0 bytes

1 Dir(s) 28,860,121,088 bytes free

 

------- Hidden Files in System32 Directory -------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

09/17/2003 09:46a 1,893,648 kyf.dat

12/13/2001 02:31p <DIR> GroupPolicy

12/13/2001 02:26p 271 desktop.ini

12/13/2001 02:26p 21,692 folder.htt

12/13/2001 02:12p <DIR> dllcache

12/07/2000 04:51p 51,200 PackethSvc.exe

4 File(s) 1,966,811 bytes

2 Dir(s) 28,860,088,320 bytes free

 

---------- Files Named "Guard" -------------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

 

--------- Temp Files in System32 Directory --------

 

Volume in drive C has no label.

Volume Serial Number is 07D1-0B10

 

Directory of C:\WINNT\System32

 

 

---------------- User Agent ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

------------ Keys Under Notify ------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00

"Logoff"="ChainWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00

"Logoff"="CryptnetWlxLogoffEvent"

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]

"DLLName"="wzcdlg.dll"

"Logon"="WZCEventLogon"

"Logoff"="WZCEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000000

 

 

------------------ Locate.com Results ------------------

 

No matches found.

 

------------ Strings.exe Qoologic Results ------------

 

 

-------------- Strings.exe Aspack Results -------------

 

C:\WINNT\system32\jesterss.dll: .aspack

 

----------------- HKLM Run Key ------------------

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"

"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"

"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

"nwiz"="nwiz.exe /install"

"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"

"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"

"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"

"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"

"Narrator"="C:\\WINNT\\system32\\wvwwku.exe"

"kalvsys"="C:\\winnt\\system32\\kalvskt32.exe"

"AutoLoaderAproposClient"="\"C:\\WINNT\\system32\\Cxtpls_loader.exe\" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded"

"p4mW37i"="pcpml4r.exe"

"AutoUpdater"="\"C:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

 

Share this post


Link to post
Share on other sites

There are just a couple of things that can be fixed with hijackthis now, if you can post the log, then I reckon you will be done :). The qoologic trojan has gone now.

Share this post


Link to post
Share on other sites

Thanks Crunchie.......our new HijackThis log....................

Logfile of HijackThis v1.99.0

Scan saved at 8:45:17 AM, on 1/10/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

C:\WINNT\System32\svchost.exe

C:\FOLDER~1\FGJR.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINNT\system32\pcpml4r.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\WINNT\system32\ctfmon.exe

C:\WINNT\system32\paupmsg.exe

C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Simply Transparent 7\SimplyTransparent.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINNT\system32\svchost.exe

C:\Documents and Settings\administrator\Desktop\Utilities\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [iE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB

O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wvwwku.exe

O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvskt32.exe

O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINNT\system32\Cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [p4mW37i] pcpml4r.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Y356RXG6W] paupmsg.exe

O4 - Startup: Simply Transparent.lnk = C:\Program Files\Simply Transparent 7\SimplyTransparent.exe

O4 - Global Startup: strings.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O12 - Plugin for .asx: C:\WINNT\QFNONL\Nscape32\Program\PLUGINS\npdsplay.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Wallingdistributing.com

O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: FGJR - WinAbility® - C:\FOLDER~1\FGJR.EXE

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Share this post


Link to post
Share on other sites

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

 

O4 - HKLM\..\Run: [iE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB

O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\wvwwku.exe

O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvskt32.exe

O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINNT\system32\Cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [p4mW37i] pcpml4r.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [Y356RXG6W] paupmsg.exe

 

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

 

C:\PROGRA~1\IEMENU~1<-----folder

C:\Program Files\AutoUpdate<----folder

 

C:\WINNT\system32\wvwwku.exe<----file

C:\winnt\system32\kalvskt32.exe<----file

C:\WINNT\system32\Cxtpls_loader.exe<----file

pcpml4r.exe<----file

paupmsg.exe<----file

 

Some of these may not exist so do not be concerned if you cannot find them.

 

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

 

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

Share this post


Link to post
Share on other sites

The last 2 files is all I could find. Latest HijackThis log...

Logfile of HijackThis v1.99.0

Scan saved at 7:13:04 AM, on 1/11/2005

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

C:\WINNT\System32\svchost.exe

C:\FOLDER~1\FGJR.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe

C:\PROGRA~1\PESTPA~1\PPControl.exe

C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\Program Files\Simply Transparent 7\SimplyTransparent.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Documents and Settings\administrator\Desktop\Utilities\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb08.exe

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [sSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - Startup: Simply Transparent.lnk = C:\Program Files\Simply Transparent 7\SimplyTransparent.exe

O4 - Global Startup: strings.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll

O12 - Plugin for .asx: C:\WINNT\QFNONL\Nscape32\Program\PLUGINS\npdsplay.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Wallingdistributing.com

O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: FGJR - WinAbility® - C:\FOLDER~1\FGJR.EXE

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Share this post


Link to post
Share on other sites

×
×
  • Create New...