Help - Search - Members - Calendar
Full Version: Hijacked
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
IJ300
Dec 9 2004, 06:12 PM
Any help would be appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 6:49:51 AM, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
c:\winnt\system32\dllcache\FireDaemon.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\winnt\system32\dllcache\service.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\dllcache\FireDaemon.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\SED\SED.exe
C:\HijackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe


DLLCOMPARE LOG:

Log of CWS Hidden File locator
These are files found that Windows does not See or cannot Access
________________________________________________

C:\WINNT\SYSTEM32\acfsipc.dll Thu Dec 2 2004 12:42:20a ..S.R 223,232 218.00 K
C:\WINNT\SYSTEM32\ddmsvinn.dll Wed Dec 8 2004 6:50:14p ..S.R 225,289 220.01 K
C:\WINNT\SYSTEM32\djserial.dll Wed Dec 8 2004 10:50:04p ..S.R 225,289 220.01 K
C:\WINNT\SYSTEM32\e0jm0a~1.dll Thu Dec 2 2004 3:22:48p ..S.R 223,782 218.54 K
C:\WINNT\SYSTEM32\fp0u03~1.dll Thu Dec 2 2004 12:55:18a ..S.R 224,575 219.31 K
C:\WINNT\SYSTEM32\h84m0i~1.dll Wed Dec 8 2004 6:50:12p ..S.R 225,437 220.15 K
C:\WINNT\SYSTEM32\ivdicdll.dll Thu Dec 2 2004 3:53:10p ..S.R 225,289 220.01 K
C:\WINNT\SYSTEM32\jt4q07~1.dll Thu Dec 2 2004 12:10:52a ..S.R 223,779 218.53 K
C:\WINNT\SYSTEM32\jtpm07~1.dll Thu Dec 2 2004 12:42:18a ..S.R 223,409 218.17 K
C:\WINNT\SYSTEM32\lbcalspl.dll Thu Dec 2 2004 3:23:02p ..S.R 223,672 218.43 K
C:\WINNT\SYSTEM32\m6nq0g~1.dll Wed Dec 8 2004 9:56:30p ..S.R 225,661 220.37 K
C:\WINNT\SYSTEM32\mv66l9~1.dll Thu Dec 2 2004 12:35:12a ..S.R 224,901 219.63 K
C:\WINNT\SYSTEM32\o8480i~1.dll Thu Dec 9 2004 6:27:04a ..S.R 225,289 220.01 K
C:\WINNT\SYSTEM32\o8pq0i~1.dll Wed Dec 8 2004 8:56:14p ..S.R 225,289 220.01 K
C:\WINNT\SYSTEM32\pxxdll.dll Wed Dec 8 2004 9:14:36p ..S.R 225,289 220.01 K
C:\WINNT\SYSTEM32\q8860i~1.dll Thu Dec 2 2004 3:53:08p ..S.R 225,977 220.68 K
C:\WINNT\SYSTEM32\r88s0i~1.dll Thu Dec 2 2004 12:20:12a ..S.R 224,020 218.77 K

1,042 items found: 1,042 files (17 H/S), 0 directories.
Total of file sizes: 192,959,289 bytes 184.02 M


FIND.BAT

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 90EC-963F

Directory of C:\WINNT\System32

12/09/2004 07:03a 553 TBPS.ini
12/09/2004 06:33a <DIR> dllcache
12/09/2004 06:27a 225,289 o8480ihue8480.dll
12/08/2004 10:50p 225,289 djserial.dll
12/08/2004 09:56p 225,661 m6nq0g55e6.dll
12/08/2004 09:14p 225,289 pxxdll.dll
12/08/2004 08:56p 225,289 o8pq0i75e8.dll
12/08/2004 06:50p 225,289 ddmsvinn.dLL
12/08/2004 06:50p 225,437 h84m0ih1e84.dll
12/02/2004 03:53p 225,289 ivdicdll.dll
12/02/2004 03:53p 225,977 q8860ilse8q60.dll
12/02/2004 03:23p 223,672 LBCALSPL.DLL
12/02/2004 03:22p 223,782 e0jm0a11ed.dll
12/02/2004 12:55a 224,575 fp0u03d9e.dll
12/02/2004 12:42a 223,232 acfsipc.dll
12/02/2004 12:42a 223,409 jtpm0771e.dll
12/02/2004 12:35a 224,901 mv66l9js1.dll
12/02/2004 12:20a 224,020 r88s0il7e8q.dll
12/02/2004 12:10a 223,779 jt4q07h5e.dll
11/07/2004 10:42p <DIR> plugins
11/07/2004 04:39p 32 {6AA3DEC5-7967-420A-8096-9161ABE2247D}.dat
19 File(s) 3,820,764 bytes
2 Dir(s) 4,277,157,888 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 90EC-963F

Directory of C:\WINNT\System32

12/09/2004 06:33a <DIR> dllcache
11/07/2004 10:42p <DIR> plugins
11/07/2004 04:39p 32 {6AA3DEC5-7967-420A-8096-9161ABE2247D}.dat
10/06/2004 08:21p <DIR> GroupPolicy
10/06/2004 07:59p 21,692 folder.htt
10/06/2004 07:59p 271 desktop.ini
3 File(s) 21,995 bytes
3 Dir(s) 4,277,157,888 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 90EC-963F

Directory of C:\WINNT\System32

12/09/2004 06:33a 225,661 guard.tmp
1 File(s) 225,661 bytes
0 Dir(s) 4,277,223,424 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 90EC-963F

Directory of C:\WINNT\System32

12/09/2004 06:33a 225,661 guard.tmp
12/02/2004 12:17a 0 ~GLH0013.TMP
12/02/2004 12:08a 0 ~GLH0008.TMP
12/07/1999 06:00a 2,577 CONFIG.TMP
4 File(s) 228,238 bytes
0 Dir(s) 4,277,223,424 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7C9371A0-F63C-4B5B-9A58-8F68FDC16DE6}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\m6nq0g55e6.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------


LoPhatPhuud
Dec 9 2004, 09:47 PM
First:
Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Run Killbox.exe and be sure that 'Delete on Reboot is checked'

Select the Folder Icon to the Right of the right of the Address Area and find the following file(s) one at a time:
C:\WINNT\SYSTEM32\o8480ihue8480.dll
C:\WINNT\SYSTEM32\djserial.dll
C:\WINNT\SYSTEM32\m6nq0g55e6.dll
C:\WINNT\SYSTEM32\pxxdll.dll
C:\WINNT\SYSTEM32\o8pq0i75e8.dll
C:\WINNT\SYSTEM32\ddmsvinn.dLL
C:\WINNT\SYSTEM32\h84m0ih1e84.dll
C:\WINNT\SYSTEM32\ivdicdll.dll
C:\WINNT\SYSTEM32\q8860ilse8q60.dll
C:\WINNT\SYSTEM32\LBCALSPL.DLL
C:\WINNT\SYSTEM32\e0jm0a11ed.dll
C:\WINNT\SYSTEM32\fp0u03d9e.dll
C:\WINNT\SYSTEM32\acfsipc.dll
C:\WINNT\SYSTEM32\jtpm0771e.dll
C:\WINNT\SYSTEM32\mv66l9js1.dll
C:\WINNT\SYSTEM32\r88s0il7e8q.dll
C:\WINNT\SYSTEM32\jt4q07h5e.dll
C:\WINNT\SYSTEM32\guard.tmp


Note: You can also cut and paste the files listed above if the full path and file name has been specified. Most files are located in C:\Windows\ or C:\Windows\System32\

After each one, press the delete button on the far right of the address bar

Each time you will get a dialog box asking if you want to reboot
Press 'No' for all but the last file
After the last file has been entered, press 'Yes'
Your computer will reboot and delete the files

Verify that all the files have actually been deleted.


Second:
Hoster Instructions:

=== Begin Hosts File Reset ===
1.Download the Hoster from here:
http://members.aol.com/toadbee/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
4. Exit Program.

Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.


Third:
Launch Notepad.
Copy/paste the text in the box below into a new text file.
Save it as fixme.reg on your Desktop

[code]REGEDIT4

REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7C9371A0-F63C-4B5B-9A58-8F68FDC16DE6}"=-


Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".


Fourth:
Run HiJackThis again and post a new log in this thread
Be sure to include the entire log in your post. Use ctrl-a and ctrl-c to copy it from notepad.
IJ300
Dec 9 2004, 10:48 PM
Hello, first I would like to say thank you for helping me. I do have a question though, in the Third step the fixme.reg seems odd. Is this the code I use?

CODE
REGEDIT4

REGEDIT4


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7C9371A0-F63C-4B5B-9A58-8F68FDC16DE6}"=-
IJ300
Dec 9 2004, 11:24 PM
I looked at other posts here and seen how the fixreg.reg should look. This is what I saved:

CODE
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7C9371A0-F63C-4B5B-9A58-8F68FDC16DE6}"=-


Here is the latest hijackthis log:

Logfile of HijackThis v1.98.2
Scan saved at 5:20:29 PM, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
c:\winnt\system32\dllcache\FireDaemon.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\winnt\system32\dllcache\service.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\dllcache\FireDaemon.EXE
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ykvwky.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SED\SED.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
LoPhatPhuud
Dec 9 2004, 11:46 PM
OK, we are making progress....


First:
Download LSPfix here: »www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of calsp.dll (and nothing else) , and move them to the "Remove" pane.
Then click Finish

Reboot


Second:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\Program Files\SED\ <-- delete entire folder
C:\Program Files\Common Files\WinTools\ <-- delete entire folder
C:\Program Files\Toolbar\ <-- delete entire folder
C:\WINNT\system32\ykvwky.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.


HiJackThis version 198.2 is now available.
If you do not already have it installed, download it from here:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Then run HiJackThis again and post a new log in this thread.
IJ300
Dec 10 2004, 12:33 AM
Here is the new log. I went to delete ykvwky.exe, but got a message it was in use so I tried Killbox, but it couldn't find it. I see that it is in this log, but going to that destination it is not there. I have "Show Hidden and System files and folders" enabled. I have highlighted a few others that concern me. I await your help and appreciate it.



Logfile of HijackThis v1.98.2
Scan saved at 6:27:02 PM, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
c:\winnt\system32\dllcache\FireDaemon.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
c:\winnt\system32\dllcache\service.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
c:\winnt\system32\dllcache\FireDaemon.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ykvwky.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
c:\winnt\system32\dllcache\cmd.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PrinterSpool] C:\WINNT\SYSTEM32\PLUGINS\restore.exe C:\WINNT\SYSTEM32\PLUGINS\spool.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
IJ300
Dec 10 2004, 12:38 AM
One more thing....next to the Start button I have 4 quick launch buttons, after the fix I now have a mirror of those icons, a duplicate if you will to the right. :blink:
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.