Help - Search - Members - Calendar
Full Version: coolweb about blank
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
viper96
Dec 1 2004, 01:21 PM
HELP!!!! PLEASE!!!!!! This is after spybot and adaware

Logfile of HijackThis v1.98.2
Scan saved at 8:18:31 AM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\crjz.exe
C:\WINDOWS\crqf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hcoum.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hcoum.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hcoum.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hcoum.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hcoum.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hcoum.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {AA53A0D9-57FB-624D-B034-9230FDC8B759} - C:\WINDOWS\netdo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [rwz0aY1a] C:\documents and settings\bhapps\local settings\temp\rwz0aY1a.exe
O4 - HKLM\..\Run: [2VBE] C:\documents and settings\bhapps\local settings\temp\2VBE.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [atlws.exe] C:\WINDOWS\system32\atlws.exe
O4 - HKLM\..\Run: [crqf.exe] C:\WINDOWS\crqf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - https://cluster.jdpa.com/download/CfxIEAx.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 1 2004, 03:19 PM
Hi viper96,

You have several infections. These we will handle separately.

Please download ServiceFilter. Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter. Doubleclick on ServiceFilter.vbs. This will create a file called Post_This.txt. Copy and paste the text in the next post.
From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
viper96
Dec 1 2004, 04:13 PM
I have been playing with it, ran symantec & cw shredder in safe mode. This is the new hijack and post_this. I will not play anymore untill you tell me. :thumb:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Dec 1, 2004 11:08:52 AM


===> Begin Service Listing <===

Unknown Service #1
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{5358c253-ca5d-4e1d-affb-4f1afb5c2430}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: %AF夶À¨
Display Name: Workstation NetLogon Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\crjz.exe /s
State: Running
Process ID: 1752
Started: True
Exit Code: 0

Logfile of HijackThis v1.98.2
Scan saved at 11:08:26 AM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\crjz.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\system32\atlws.exe
C:\WINDOWS\System32\winupdtl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {25713B9E-3A18-4906-71FE-9FE3C5B4B02A} - C:\WINDOWS\winph32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [rwz0aY1a] C:\documents and settings\bhapps\local settings\temp\rwz0aY1a.exe
O4 - HKLM\..\Run: [2VBE] C:\documents and settings\bhapps\local settings\temp\2VBE.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [atlws.exe] C:\WINDOWS\system32\atlws.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvmxi32.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 1 2004, 04:52 PM
Hi viper96,
  1. Download AboutBuster

    Unzip it to your desktop but don't run it yet we'll do that later on down in this list in SAFE MODE.
  2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online. We need IE to remain closed throughout the process.
  3. Make sure your PC is configured to show hidden files.How do I show hidden files?
  4. Next, go to "Start" ->"Run" and type "Services.msc" (without quotes) then hit "Ok".

    Scroll down and find the service called "Workstation NetLogon Service". When you find it, double-click it. In the next window that opens, click the "Stop" button, then click on "Properties" and under the "General" tab, change the "Startup Type" to Disabled. Now hit "Apply" and then "Ok" and close any open windows.
  5. Restart your computer in Safe Mode. How do I Safe Boot my computer?
  6. Scan with Hijack This and put check the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ezqqt.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ezqqt.dll/sp.html#29126

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {25713B9E-3A18-4906-71FE-9FE3C5B4B02A} - C:\WINDOWS\winph32.dll

    O4 - HKLM\..\Run: [rwz0aY1a] C:\documents and settings\bhapps\local settings\temp\rwz0aY1a.exe
    O4 - HKLM\..\Run: [2VBE] C:\documents and settings\bhapps\local settings\temp\2VBE.exe
    O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
    O4 - HKLM\..\Run: [atlws.exe] C:\WINDOWS\system32\atlws.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvmxi32.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

    O15 - Trusted Zone: *.frame.crazywinnings.com

    Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

    Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!

    Delete the following files in red (it could be that they are deleted already):

    C:\WINDOWS\ezqqt.dll
    C:\WINDOWS\winph32.dll
    All Files in C:\documents and settings\bhapps\local settings\temp
    C:\WINDOWS\system32\atlws.exe
    C:\windows\system32\kalvmxi32.exe
    C:\WINDOWS\System32\stcloader.exe
    C:\WINDOWS\System32\winupdtl.exe

    Delete the following folders in red (it could be that they are deleted already):

    C:\Program Files\SED
    C:\Program Files\Common Files\tsa
  7. Double click on the AboutBuster tool you downloaded earlier. Follow the instruction prompts to use the program and let it do two scans (it will ask). When finished, press the "Save log" button. I will want a copy of that log after all steps are completed here.
  8. Scan with Adaware and let it remove any bad files found.
  9. Clean out temporary and tif files. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:

    Temporary Files
    Temporary Internet Files
    Recycle Bin
  10. Restart in normal mode.
  11. NOTE: Two possibly three or four files may have been deleted from your computer by the hijacker and may need to be replaced.

    Control.exe
    Shell.dll
    SDHelper.dll (if you are using Spybot Search & Destroy)
    Hosts file (no extension)

    If control.exe, shell.dll or SDHelper is missing
    Go here: http://spywareinfo.com/~merijn/winfiles.html and download the needed file.

    For a missing Hosts file:
    Download Hoster
    Press "Restore Original Hosts" and press "OK"
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself!

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:
    http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)
  12. Additional: Check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX security settings in Internet Explorer as recommended.

    ActiveX controls and plug-ins:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    • Script ActiveX controls marked safe for scripting (Prompt)

    Do an online scan at the following site. Let it remove any infected files found.
    Trend Micro (PC-Cillin) - Free On-line Scan
When you are all done, post the new HijackThis log and the AboutBuster log here for review.
viper96
Dec 1 2004, 05:51 PM
Logfile of HijackThis v1.98.2
Scan saved at 12:48:04 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200

Scanned at: 12:28:42 PM on: 12/1/2004


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\1400 x 1050 IBM Mechanical.bmp:cryzx
C:\WINDOWS\appur.exe.bak:zobng
C:\WINDOWS\euroconv.inf:bgvle
C:\WINDOWS\iis6.log:kvsow
C:\WINDOWS\KB824105.log:vwvys
C:\WINDOWS\vminst.log:ablnk
C:\WINDOWS\winhlp32.exe:hfrim
C:\WINDOWS\xpsp1hfm.log:owkwf


Removed 4 Random Key Entries
Removed! : C:\WINDOWS\System32\szeph.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


Removed Data Streams:
C:\WINDOWS\1400 x 1050 IBM Mechanical.bmp:cryzx
C:\WINDOWS\appur.exe.bak:zobng
C:\WINDOWS\euroconv.inf:bgvle
C:\WINDOWS\iis6.log:kvsow
C:\WINDOWS\KB824105.log:vwvys
C:\WINDOWS\vminst.log:ablnk
C:\WINDOWS\winhlp32.exe:hfrim
C:\WINDOWS\xpsp1hfm.log:owkwf


Attempted Clean Of Temp folder.
Pages Reset... Done!
viper96
Dec 1 2004, 06:51 PM
I didn't use this computer, did hook up ethernet cable, started getting pop ups in 15 mins. This is the new log.

Logfile of HijackThis v1.98.2
Scan saved at 1:49:23 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 1 2004, 07:53 PM
Hi viper96,

We got rid of the first one.

Now we're gonna get rid of number two and prepare ourselves for number three

Download LSPfix here: www.cexx.org/lspfix.htm
Start the application, and click the "I know what I'm doing" checkbox.
Check all instances of calsp.dll and winlspak.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish and reboot.

Download Ad-aware SE and update it (the Globe icon, then Connect). You don't have to scan yet.

Download the following tool and install it in its own folder:
http://downloads.subratam.org/VX2Finder(126).exe

Run vx2finder(126).exe
Press 'Click to Find VX2.BetterInternet'
Press 'Make Log' and post it in this thread for review

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O15 - Trusted Zone: *.frame.crazywinnings.com

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
viper96
Dec 1 2004, 08:12 PM
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
IPConfTSP
NavLogon
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{8925D8B9-2ABF-4AE4-A3C7-4A62152B2C80}

Logfile of HijackThis v1.98.2
Scan saved at 3:09:23 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 2 2004, 05:45 PM
Hi viper96,

=== Delete files, remove User Agent string, Restore Desktop, Adjust Registry ===
Sign off and stay off the internet until the entire procedure is complete.

Run vx2finder.
Press "Click to Find VX2.BetterInternet"
Select all the files found
Press "Delete These Files"

The program will delete all files.

Once deleted:
a. Press "User Agent$"
b. Press "Restore Desktop"
c. Press "Import Reg"


Then...
Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

user posted image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL's
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives

3. Click on the Advanced button on the left and select:
* Include additional process information
* Include additional file information
* Include environment information

4. Click the Tweak button and select:
* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
* Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

8. Save the log file when it asks and then click Finish

9. When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

10.Reboot your computer.

Run HiJackThis again and post a new log in this thread.
viper96
Dec 2 2004, 06:19 PM
I could not delete anything in xv2

Logfile of HijackThis v1.98.2
Scan saved at 1:15:08 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpkpkp.exe
C:\Documents and Settings\bhapps\Start Menu\Programs\Startup\WindowsUpdate07889[1].exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: WindowsUpdate07889[1].exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 2 2004, 06:37 PM
Hi viper96,
QUOTE
I could not delete anything in xv2
Were you disconnected from the internet? I see you picked up new ones along the way.

Check your computer with the following free anti-virus/anti-trojan products.

Housecall Anti Virus Panda Anti Virus Trojan Scan

Download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpkpkp.exe and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot, Process & Reboot now?", answer "No". Do the same for the this file C:\Documents and Settings\bhapps\Start Menu\Programs\Startup\WindowsUpdate07889[1].exe and answer "Yes" after the button. Let Killbox do it's work.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O15 - Trusted Zone: *.frame.crazywinnings.com

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
viper96
Dec 2 2004, 07:02 PM
No I am not connected to the internet, when I run xv2 the is no files that I can move to delete, unless I am doing something wrong.
O15 - Trusted Zone: *.frame.crazywinnings.com keeps coming back. Do I need to connect to internet and run the antivirus? I have run symantec.

Logfile of HijackThis v1.98.2
Scan saved at 1:58:48 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\popopo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 2 2004, 09:38 PM
Hi viper96,

Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it on your Desktop.

CODE
regedit /e domains.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"


Locate Export.bat on your Desktop and double-click on it. This will create a file on your desktop named domains.reg. Attach this to a new post.

QUOTE
No I am not connected to the internet, when I run xv2 the is no files that I can move to delete, unless I am doing something wrong.
You've done it. What I expected it to do has been done.
viper96
Dec 2 2004, 10:42 PM
When I double click on it, a dos window flahes, but no file is left on the desktop. Tried it on my other computer, worked fine. Any ideas?
Bobbi Flekman
Dec 3 2004, 10:36 AM
QUOTE (viper96 @ Dec 2 2004, 11:42 PM)
When I double click on it, a dos window flahes, but no file is left on the desktop. Tried it on my other computer, worked fine. Any ideas?

Can you try it in safe mode?
viper96
Dec 3 2004, 01:18 PM
Logfile of HijackThis v1.98.2
Scan saved at 8:16:38 AM, on 12/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpkpkp.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 3 2004, 01:29 PM
Hi viper96,

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

CODE
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=-
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

See if it gets removed this way. Afterwards restart your computer.

Use Killbox on this file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpkpkp.exe

Post a new log.
viper96
Dec 3 2004, 03:42 PM
The kpkpkp.exe wasn't found when I tried to kill it.

Logfile of HijackThis v1.98.2
Scan saved at 10:40:36 AM, on 12/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\popopo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 3 2004, 09:10 PM
Hi viper96,

QUOTE
The kpkpkp.exe wasn't found when I tried to kill it.
It renamed itself. You are running Telnet. Though this is a valid service, it is usually turned off.

Check your computer with the following free anti-virus/anti-trojan products.

Housecall Anti Virus Panda Anti Virus Trojan Scan

And, here's the link to McAfee AVERT Stinger and instructions for use.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.
viper96
Dec 7 2004, 01:21 PM
Logfile of HijackThis v1.98.2
Scan saved at 8:20:23 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\gxqtpkddww.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Yantert] C:\WINDOWS\bruzmoh.exe
O4 - HKLM\..\Run: [C:\WINDOWS\gxqtpkddww.exe] C:\WINDOWS\gxqtpkddww.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 7 2004, 01:36 PM
Hi viper96,

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKLM\..\Run: [Yantert] C:\WINDOWS\bruzmoh.exe
O4 - HKLM\..\Run: [C:\WINDOWS\gxqtpkddww.exe] C:\WINDOWS\gxqtpkddww.exe

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Click on "Config...", "Misc Tools", "Open process manager". Select "C:\WINDOWS\gxqtpkddww.exe" and click on "Kill process". Answer Yes to the "Are you sure..." question.

Set hidden files showing. How do I show hidden files?

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\gxqtpkddww.exe
C:\WINDOWS\bruzmoh.exe

Restart your computer and post a new log in this thread.
viper96
Dec 7 2004, 02:38 PM
Logfile of HijackThis v1.98.2
Scan saved at 9:27:23 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 7 2004, 03:07 PM
Hi viper96,

You've gotten reinfected with other malwares... :(

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll

Restart your computer and post a new log in this thread.

You have been hit by a bright shiny new version of VX2/Look2Me. We are working on completely fixing it and it seems that we have a solution. Can you download and extract the attached zip file. There is a batch file in it named Find.bat. This will create a log, please post it.
viper96
Dec 7 2004, 04:09 PM
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/07/2004 11:05 AM <DIR> dllcache
12/07/2004 11:05 AM 223,203 dmnput.dll
12/07/2004 10:58 AM 225,154 dnn0015me.dll
12/07/2004 10:54 AM 225,154 dtprpres.dll
12/07/2004 10:54 AM 223,203 u0rula991d.dll
12/07/2004 09:25 AM 225,627 mgimsg.dll
12/06/2004 05:34 PM 225,154 meacm32.dll
12/06/2004 02:48 PM 223,300 fprm0391e.dll
12/06/2004 01:52 PM 224,519 g422lefo1h2c.dll
12/03/2004 10:38 AM 225,783 k462lejo1hoc.dll
12/03/2004 08:15 AM 223,935 apifil32.dll
12/03/2004 07:48 AM 224,519 acdgo.dll
12/02/2004 02:43 PM 223,935 nqtplwiz.dll
12/02/2004 01:56 PM 225,047 krdsg.dll
12/02/2004 01:14 PM 223,935 nkmsmgr.dll
12/01/2004 11:05 AM 223,384 onbccp32.dll
12/01/2004 10:27 AM 223,329 AZHPRXY.DLL
12/01/2004 09:59 AM 224,492 mucoree.dll
11/30/2004 04:47 PM 224,492 gp6ml3j11.dll
11/30/2004 03:47 PM 223,435 enj0l11m1.dll
11/30/2004 03:11 PM 223,435 fp0203doe.dll
11/29/2004 04:41 PM 10,752 crjz.exe
11/28/2004 11:17 PM 3,347 glzvn.txt
11/10/2004 02:50 AM 29,696 ntou.exe
11/08/2004 04:54 PM 3,347 ddwsw.log
10/30/2004 03:19 AM 3,347 zozex.txt
10/22/2002 03:24 PM <DIR> Microsoft
11/20/2001 11:24 AM 7,168 THUMBS.DB
26 File(s) 4,542,692 bytes
2 Dir(s) 56,939,721,216 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/07/2004 11:05 AM <DIR> dllcache
11/29/2004 04:41 PM 10,752 crjz.exe
11/28/2004 11:17 PM 3,347 glzvn.txt


Logfile of HijackThis v1.98.2
Scan saved at 11:07:45 AM, on 12/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 8 2004, 12:16 PM
Hi viper96,

Could you zip the files in red, and mail the zipfile to me. We are still working on an auomated fix, so the more files we have to disect the better.

C:\WINDOWS\System32\dmnput.dll
C:\WINDOWS\System32\dnn0015me.dll
C:\WINDOWS\System32\dtprpres.dll
C:\WINDOWS\System32\u0rula991d.dll
C:\WINDOWS\System32\mgimsg.dll
C:\WINDOWS\System32\meacm32.dll
C:\WINDOWS\System32\fprm0391e.dll
C:\WINDOWS\System32\g422lefo1h2c.dll
C:\WINDOWS\System32\k462lejo1hoc.dll
C:\WINDOWS\System32\apifil32.dll
C:\WINDOWS\System32\acdgo.dll
C:\WINDOWS\System32\nqtplwiz.dll
C:\WINDOWS\System32\krdsg.dll
C:\WINDOWS\System32\nkmsmgr.dll
C:\WINDOWS\System32\onbccp32.dll
C:\WINDOWS\System32\AZHPRXY.DLL
C:\WINDOWS\System32\mucoree.dll
C:\WINDOWS\System32\gp6ml3j11.dll
C:\WINDOWS\System32\enj0l11m1.dll
C:\WINDOWS\System32\fp0203doe.dll
C:\WINDOWS\System32\crjz.exe
C:\WINDOWS\System32\glzvn.txt
C:\WINDOWS\System32\ntou.exe
C:\WINDOWS\System32\ddwsw.log
C:\WINDOWS\System32\zozex.txt

Afterwards use Killbox on these files:

C:\WINDOWS\System32\dmnput.dll
C:\WINDOWS\System32\dnn0015me.dll
C:\WINDOWS\System32\dtprpres.dll
C:\WINDOWS\System32\u0rula991d.dll
C:\WINDOWS\System32\mgimsg.dll
C:\WINDOWS\System32\meacm32.dll
C:\WINDOWS\System32\fprm0391e.dll
C:\WINDOWS\System32\g422lefo1h2c.dll
C:\WINDOWS\System32\k462lejo1hoc.dll
C:\WINDOWS\System32\apifil32.dll
C:\WINDOWS\System32\acdgo.dll
C:\WINDOWS\System32\nqtplwiz.dll
C:\WINDOWS\System32\krdsg.dll
C:\WINDOWS\System32\nkmsmgr.dll
C:\WINDOWS\System32\onbccp32.dll
C:\WINDOWS\System32\AZHPRXY.DLL
C:\WINDOWS\System32\mucoree.dll
C:\WINDOWS\System32\gp6ml3j11.dll
C:\WINDOWS\System32\enj0l11m1.dll
C:\WINDOWS\System32\fp0203doe.dll
C:\WINDOWS\System32\crjz.exe
C:\WINDOWS\System32\glzvn.txt
C:\WINDOWS\System32\ntou.exe
C:\WINDOWS\System32\ddwsw.log
C:\WINDOWS\System32\zozex.txt

Restart your computer and post a fresh log from HijackThis and Find.bat.

B.t.w. the telltale signs of this infection are gone from your log. Did you do something?
aust3333
Dec 8 2004, 12:34 PM
Hello guys,

I know that I am not suppose to help with problems on this forum because I am only a member, but I have been reading this thread for a while and noticed that it has been ongoing. Bobbi if it is ok with you I can offer a definite fix for this problem because I have experienced it first hand and have cleaned it successfully. Let me tell you, it is a doozy of a piece of malware. I will monitor this post and offer help if it is ok with you Bobbi. I am not trying in any way to step on anyone's toes, but just trying to help because I know how frustrating this darn thing made me. Please let me know if I can post the solution. Thanks.
viper96
Dec 8 2004, 12:41 PM
Did not do anything. Will zip and post shortly.
Thanks
viper96
Dec 8 2004, 01:50 PM
I can't post the zip file because it is 3.8mb. What should I do with it?


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/08/2004 08:13 AM 223,203 krdgr.dll
12/08/2004 08:13 AM 223,768 hr6q05j5e.dll
12/08/2004 07:57 AM 225,154 muxml2r.dll
12/07/2004 03:19 PM 223,203 l08m0al1edq.dll
12/07/2004 11:05 AM <DIR> dllcache
10/22/2002 03:24 PM <DIR> Microsoft
11/20/2001 11:24 AM 7,168 THUMBS.DB
5 File(s) 902,496 bytes
2 Dir(s) 56,933,144,064 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/07/2004 11:05 AM <DIR> dllcache
09/24/2002 09:52 PM 488 logonui.exe.manifest
09/24/2002 09:52 PM 488 WindowsLogon.manifest
09/24/2002 09:52 PM 749 nwc.cpl.manifest
09/24/2002 09:52 PM 749 sapi.cpl.manifest
09/24/2002 09:52 PM 749 ncpa.cpl.manifest
09/24/2002 09:52 PM 749 cdplayer.exe.manifest
09/24/2002 09:52 PM 749 wuaucpl.cpl.manifest
11/20/2001 11:24 AM 7,168 THUMBS.DB
8 File(s) 11,889 bytes
1 Dir(s) 56,933,144,064 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32



Logfile of HijackThis v1.98.2
Scan saved at 8:39:32 AM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
Bobbi Flekman
Dec 8 2004, 02:09 PM
Hi viper96,

QUOTE
I can't post the zip file because it is 3.8mb. What should I do with it?
Can you split it in several files?


Zip these too, and then use Killbox on them, it seems we didn't get them all:

C:\WINDOWS\System32\krdgr.dll
C:\WINDOWS\System32\hr6q05j5e.dll
C:\WINDOWS\System32\muxml2r.dll
C:\WINDOWS\System32\l08m0al1edq.dll

Also, I would have expected that a part of the log from Find.bat was a registry log of what is inside the Notify key.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?

Delete the following folders in red (it could be that they are deleted already):

C:\Program Files\NaviSearch
C:\Program Files\CashBack

Restart your computer and post a new log (and a Find.bat log) in this thread.
Bobbi Flekman
Dec 8 2004, 03:26 PM
Hi viper96,

could you also post a log from Safe Mode, so we can compare the differences.
viper96
Dec 8 2004, 07:04 PM
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 1
Dec 1, 2004 11:08:52 AM


===> Begin Service Listing <===

Unknown Service #1
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{5358c253-ca5d-4e1d-affb-4f1afb5c2430}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: %AF夶À¨
Display Name: Workstation NetLogon Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\crjz.exe /s
State: Running
Process ID: 1752
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 85 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 0.484375 seconds.


Logfile of HijackThis v1.98.2
Scan saved at 2:00:22 PM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
viper96
Dec 8 2004, 07:10 PM
This is from Safe Mode, still trying to zip the files. Don't seem to compress much.

Logfile of HijackThis v1.98.2
Scan saved at 2:07:00 PM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/08/2004 02:06 PM 223,016 duband.dll
12/08/2004 02:06 PM 223,693 jtp6077se.dll
12/08/2004 02:01 PM <DIR> dllcache
12/08/2004 01:59 PM 225,099 aqvapi32.dll
12/08/2004 01:59 PM 223,016 ktj6l71s1.dll
12/08/2004 01:16 PM 223,203 jkpl400.dll
12/08/2004 01:09 PM 223,768 idsecsnp.dll
10/22/2002 03:24 PM <DIR> Microsoft
11/20/2001 11:24 AM 7,168 THUMBS.DB
7 File(s) 1,348,963 bytes
2 Dir(s) 56,935,992,320 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/08/2004 02:01 PM <DIR> dllcache
09/24/2002 09:52 PM 488 logonui.exe.manifest
09/24/2002 09:52 PM 488 WindowsLogon.manifest
09/24/2002 09:52 PM 749 nwc.cpl.manifest
09/24/2002 09:52 PM 749 sapi.cpl.manifest
09/24/2002 09:52 PM 749 ncpa.cpl.manifest
09/24/2002 09:52 PM 749 cdplayer.exe.manifest
09/24/2002 09:52 PM 749 wuaucpl.cpl.manifest
11/20/2001 11:24 AM 7,168 THUMBS.DB
8 File(s) 11,889 bytes
1 Dir(s) 56,935,991,296 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------
Bobbi Flekman
Dec 8 2004, 09:32 PM
Hi viper96,

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Use Killbox on :

C:\WINDOWS\System32\duband.dll
C:\WINDOWS\System32\jtp6077se.dll
C:\WINDOWS\System32\aqvapi32.dll
C:\WINDOWS\System32\ktj6l71s1.dll
C:\WINDOWS\System32\jkpl400.dll
C:\WINDOWS\System32\idsecsnp.dll


Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll

Restart your computer and post a new log in this thread.
viper96
Dec 8 2004, 09:52 PM
Logfile of HijackThis v1.98.2
Scan saved at 4:51:26 PM, on 12/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 9 2004, 11:19 AM
Hi viper96,

Yay!!! This log is clean.

But.... it is known that this new VX2 Infection messes up your computer. Do you see any problems? Can you print? Create a file and delete it. Does it end up in the Recycle Bin? If you do have problems, do not yet update to SP-2. But keep it in mind for when you're clean.

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....
viper96
Dec 9 2004, 04:26 PM
I have popups like crazy. All I did was plug my lan cable back up. I have ran spybot and adaware. Can't get rid of coolwwwsearch and XV2. Did I do something wrong?

Thanks


Logfile of HijackThis v1.98.2
Scan saved at 10:30:34 AM, on 12/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Reynolds\ERALink32\ERALink32.exe
C:\PROGRA~1\Reynolds\ERALIN~1\wIntegSM.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
viper96
Dec 9 2004, 04:40 PM
Logfile of HijackThis v1.98.2
Scan saved at 10:30:34 AM, on 12/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Reynolds\ERALink32\ERALink32.exe
C:\PROGRA~1\Reynolds\ERALIN~1\wIntegSM.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: kpkpkp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200
Bobbi Flekman
Dec 9 2004, 06:13 PM
Hi viper96,

Do you use a firewall? That is your first line of defense... Please download either Kerio or ZoneAlarm and install it on your computer.

Download LSPfix here: www.cexx.org/lspfix.htm
Start the application, and click the "I know what I'm doing" checkbox.
Check all instances of [calsp.dll] (and nothing else), and move them to the "Remove" pane.
Then click Finish and reboot.

Use Killbox on C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpkpkp.exe

And post a log from Find.bat and a new HijackThis log.
viper96
Dec 9 2004, 06:40 PM
Logfile of HijackThis v1.98.2
Scan saved at 1:38:35 PM, on 12/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpkpkp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/09/2004 10:30 AM <DIR> dllcache
12/09/2004 07:58 AM 223,127 h20q0cd5ef0.dll
12/08/2004 05:33 PM 223,923 s6rs0g97e6.dll
12/08/2004 02:10 PM 223,693 rjpdd.dll
10/22/2002 03:24 PM <DIR> Microsoft
11/20/2001 11:24 AM 7,168 THUMBS.DB
4 File(s) 677,911 bytes
2 Dir(s) 56,924,439,552 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/09/2004 10:30 AM <DIR> dllcache
09/24/2002 09:52 PM 488 logonui.exe.manifest
09/24/2002 09:52 PM 488 WindowsLogon.manifest
09/24/2002 09:52 PM 749 nwc.cpl.manifest
09/24/2002 09:52 PM 749 sapi.cpl.manifest
09/24/2002 09:52 PM 749 ncpa.cpl.manifest
09/24/2002 09:52 PM 749 cdplayer.exe.manifest
09/24/2002 09:52 PM 749 wuaucpl.cpl.manifest
11/20/2001 11:24 AM 7,168 THUMBS.DB
8 File(s) 11,889 bytes
1 Dir(s) 56,924,439,552 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/09/2004 01:37 PM 223,923 guard.tmp
1 File(s) 223,923 bytes
0 Dir(s) 56,924,438,528 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8
Bobbi Flekman
Dec 10 2004, 11:24 AM
Hi viper96,

Download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpkpkp.exe and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot, Process & Reboot now?", answer "Yes". Let Killbox do it's work.

I still don't see a firewall in your logs!
You didn't post the whole log from Find.bat!

How many user accounts do you have on this computer?
viper96
Dec 10 2004, 03:12 PM
I have zone alarm, only 1 user that I know of.

Logfile of HijackThis v1.98.2
Scan saved at 9:55:27 AM, on 12/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hyundaidealer.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B167585-B06B-4D93-B530-AAFFD90B7F4B}: NameServer = 10.248.81.253,10.205.1.100,10.205.1.200


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/10/2004 09:36 AM <DIR> dllcache
12/10/2004 09:35 AM 223,127 stnsapi.dll
12/10/2004 09:09 AM 223,923 m0nq0a55ed.dll
12/10/2004 07:44 AM 223,127 ktr8l79u1.dll
12/08/2004 02:10 PM 223,693 rjpdd.dll
10/22/2002 03:24 PM <DIR> Microsoft
11/20/2001 11:24 AM 7,168 THUMBS.DB
5 File(s) 901,038 bytes
2 Dir(s) 56,714,036,736 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

12/10/2004 09:36 AM <DIR> dllcache
12/10/2004 09:10 AM 890 vsconfig.xml
12/09/2004 01:54 PM 4,212 zllictbl.dat
09/24/2002 09:52 PM 488 logonui.exe.manifest
09/24/2002 09:52 PM 488 WindowsLogon.manifest
09/24/2002 09:52 PM 749 wuaucpl.cpl.manifest
09/24/2002 09:52 PM 749 ncpa.cpl.manifest
09/24/2002 09:52 PM 749 nwc.cpl.manifest
09/24/2002 09:52 PM 749 sapi.cpl.manifest
09/24/2002 09:52 PM 749 cdplayer.exe.manifest
11/20/2001 11:24 AM 7,168 THUMBS.DB
10 File(s) 16,991 bytes
1 Dir(s) 56,714,035,712 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is IBM_PRELOAD
Volume Serial Number is E4C9-1CB8

Directory of C:\WINDOWS\System32

08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/18/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 1,239,057 bytes
0 Dir(s) 56,714,035,712 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8925D8B9-2ABF-4AE4-A3C7-4A62152B2C80}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ktr8l79u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------
Bobbi Flekman
Dec 10 2004, 03:26 PM
Hi viper96,

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Close HijackThis and log of off the Internet.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8925D8B9-2ABF-4AE4-A3C7-4A62152B2C80}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\WINDOWS\System32\Guard.tmp and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot, Process & Reboot now?", answer "No". Do the same for the these files:
C:\WINDOWS\System32\stnsapi.dll
C:\WINDOWS\System32\m0nq0a55ed.dll
C:\WINDOWS\System32\ktr8l79u1.dll
C:\WINDOWS\System32\rjpdd.dll
after the last one click the button and answer "Yes". Let Killbox restart your computer.

Post a fresh log from HijackThis and Find.bat
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.