Help - Search - Members - Calendar
Full Version: Infected with new vx2 variant PLease help Bobby
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
khelbena
Dec 14 2004, 02:47 PM
Bobby here are several logs first one is the log of your find.bat file called output.txt

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/13/2004 03:32 PM 226,015 mv8ml9l11.dll
12/13/2004 03:04 PM 226,015 k008ladu1d08.dll
12/13/2004 10:23 AM 224,420 fpn2035oe.dll
12/09/2004 04:22 PM <DIR> dllcache
12/08/2004 10:36 AM 224,700 m0820aloedqc0.dll
12/08/2004 09:08 AM 223,232 g0lmla311d.dll
11/19/2002 09:22 PM <DIR> Microsoft
5 File(s) 1,124,382 bytes
2 Dir(s) 36,312,072,192 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/09/2004 04:22 PM <DIR> dllcache
09/17/2001 09:42 AM 488 WindowsLogon.manifest
09/17/2001 09:42 AM 488 logonui.exe.manifest
09/17/2001 09:42 AM 749 cdplayer.exe.manifest
09/17/2001 09:42 AM 749 ncpa.cpl.manifest
09/17/2001 09:42 AM 749 nwc.cpl.manifest
09/17/2001 09:42 AM 749 sapi.cpl.manifest
09/17/2001 09:42 AM 749 wuaucpl.cpl.manifest
08/18/2001 09:00 AM 2 desktop.ini
8 File(s) 4,723 bytes
1 Dir(s) 36,312,068,096 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/14/2004 09:27 AM 226,015 guard.tmp
1 File(s) 226,015 bytes
0 Dir(s) 36,312,064,000 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/14/2004 09:27 AM 226,015 guard.tmp
08/18/2001 09:00 AM 2,577 CONFIG.TMP
2 File(s) 228,592 bytes
0 Dir(s) 36,312,064,000 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6EF66B11-7BD6-43A5-85C0-0CBB31A3F5D5}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\Windows\\system32\\k008ladu1d08.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\Windows\System32\K008LA~1.DLL +++ File read error

-------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
fpn203~1.dll Mon Dec 13 2004 10:23:18a ..S.R 224,420 219.16 K
g0lmla~1.dll Wed Dec 8 2004 9:08:46a ..S.R 223,232 218.00 K
k008la~1.dll Mon Dec 13 2004 3:04:14p ..S.R 226,015 220.71 K
m0820a~1.dll Wed Dec 8 2004 10:36:14a ..S.R 224,700 219.43 K
mv8ml9~1.dll Mon Dec 13 2004 3:32:06p ..S.R 226,015 220.71 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,124,382 bytes 1.07 M


OOK NEXT IS THE HIJACK THIS LOG

Logfile of HijackThis v1.98.2
Scan saved at 9:37:21 AM, on 12/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\Program Files\PopUp Killer\PopUpKiller.exe
C:\Windows\System32\ywiayq.exe
C:\Windows\System32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\rundll32.exe
C:\Documents and Settings\Agent1\My Documents\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [kpekxc] C:\Windows\System32\kpekxc.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer =



I also have the GUARD.tmp file it was modified on 12-14-04 was created on 12-13-04

I notice that when i clean everything up the rundll32.exe file is also infected i think

think you can help me out?
Bobbi Flekman
Dec 14 2004, 05:36 PM
Hi khelbena,

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6EF66B11-7BD6-43A5-85C0-0CBB31A3F5D5}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\Windows\System32\guard.tmp
 and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot" answer Yes, followed by "File will be Removed on Reboot, Do you want to reboot now?", answer "No". Do the same for the these files:
C:\Windows\System32\mv8ml9l11.dll
C:\Windows\System32\k008ladu1d08.dll
C:\Windows\System32\fpn2035oe.dll
C:\Windows\System32\m0820aloedqc0.dll
C:\Windows\System32\g0lmla311d.dll
C:\Windows\System32\ywiayq.exe
C:\Windows\System32\kpekxc.exe
after the last one click the button and answer "Yes" on the "Reboot now?" question. Let Killbox do it's work.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [kpekxc] C:\Windows\System32\kpekxc.exe

There are restrictions set on Control Panel and Internet Explorer. If you or your system administrator has not set these restrictions, also check these items.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) -

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.

Attached is a zip file. Extract it and run the batch file. Wait until the progam ends. It creates two text files c:\win.txt and c:\start.txt. Post these so we can handle that one.
khelbena
Dec 15 2004, 02:29 PM
ok deleted the files you suggested with killbox, ran the reg fix, also the restrictions and meadco are set by sysadmin cant remove those


here is new hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 9:24:10 AM, on 12/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\Program Files\PopUp Killer\PopUpKiller.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Documents and Settings\Agent1\My Documents\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer =
here is contents of Win.txt
C:\WINDOWS\system32\gcwagi.dll: updates.qoologic.com
C:\WINDOWS\system32\gcwugi.dll: updates.qoologic.com
C:\WINDOWS\system32\phzupx.exe: updates.qoologic.com
C:\WINDOWS\system32\qeorqs.dll: updates.qoologic.com
C:\WINDOWS\system32\qpauqg.dat: .aspack
C:\WINDOWS\system32\ywiayq.exe: .aspack
C:\WINDOWS\system32\ywiays.exe: .aspack

here is the start.txt

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yhugyf.exe: .aspack
khelbena
Dec 15 2004, 02:50 PM
grrrr....

ok after we did this i thought all was looking good so far but about 10 min later i noticed the hosts file was modified again here is a copy of hosts file

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# This list is Copyright 2000-2004 Patrick M. Kolla / Safer Networking Limited


127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
Bobbi Flekman
Dec 15 2004, 04:05 PM
Hi khelbena,

Can you post a log from Normal (not Safe Mode). Can you also post a log from Find.bat.

Double-click on Killbox.exe to run it. Click on "Delete on Reboot", in the "Full Path of File to Delete" box, enter C:\WINDOWS\system32\gcwagi.dll and click on the button with the white cross in a red circle. You will get a question "File will be Deleted on Next Reboot" answer Yes, followed by "File will be Removed on Reboot, Do you want to reboot now?", answer "No". Do the same for the these files:
C:\WINDOWS\system32\gcwugi.dll
C:\WINDOWS\system32\phzupx.exe
C:\WINDOWS\system32\qeorqs.dll
C:\WINDOWS\system32\qpauqg.dat
C:\WINDOWS\system32\ywiayq.exe
C:\WINDOWS\system32\ywiays.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yhugyf.exeafter the last one click the button and answer "Yes" on the "Reboot now?" question. Let Killbox do it's work. Afterwards post the new files from this batch file.

Did you set Spybot to guard the hosts file? I see evidence that they modified it...
khelbena
Dec 16 2004, 07:07 PM
sorry have been out of town all morning, here are new logs from find, hijack this. Followed your instructions adn delted recommended files using killbox. Also I believe at one point spybot was set to protect the host file but all those entries have been removed and the only thing in there are the one listed int he previous post.

Ok first log is find.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/09/2004 04:22 PM <DIR> dllcache
11/19/2002 09:22 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 36,312,281,088 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/09/2004 04:22 PM <DIR> dllcache
09/17/2001 09:42 AM 488 WindowsLogon.manifest
09/17/2001 09:42 AM 488 logonui.exe.manifest
09/17/2001 09:42 AM 749 cdplayer.exe.manifest
09/17/2001 09:42 AM 749 ncpa.cpl.manifest
09/17/2001 09:42 AM 749 nwc.cpl.manifest
09/17/2001 09:42 AM 749 sapi.cpl.manifest
09/17/2001 09:42 AM 749 wuaucpl.cpl.manifest
08/18/2001 09:00 AM 2 desktop.ini
8 File(s) 4,723 bytes
1 Dir(s) 36,312,281,088 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

08/18/2001 09:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 36,312,276,992 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6EF66B11-7BD6-43A5-85C0-0CBB31A3F5D5}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\Windows\\system32\\mv8ml9l11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


No matches found.


OK NEXT IS HIJACK THIS....

Logfile of HijackThis v1.98.2
Scan saved at 2:03:34 PM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\FacetWin\fwagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\System32\wuauclt.exe
C:\Documents and Settings\Agent1\My Documents\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer = 6
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer =


Ok all of the above was done in normal mode...oh one other thing upon reboot after deleting with killbox, winpatrol popped up and asked if i wanted to allow the ywiayq.exe to run at start up I chose no.
Bobbi Flekman
Dec 17 2004, 01:55 PM
Hi khelbena,

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6EF66B11-7BD6-43A5-85C0-0CBB31A3F5D5}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

QUOTE
Ok all of the above was done in normal mode...oh one other thing upon reboot after deleting with killbox, winpatrol popped up and asked if i wanted to allow the  ywiayq.exe to run at start up I chose no.
Qoologic isn't over yet! Can you run the batchfile from the qoologic download, and post the two textfiles it creates.
khelbena
Dec 20 2004, 02:08 PM
ok ran reg file it imported fine,

ran the batchfile from the qoologic download attaching the files int he zip file
files are win.txt and start.txt
khelbena
Dec 20 2004, 02:09 PM
hmm just looked at the files and they are blank, i am going to run the program again maybe it was terminated early
Bobbi Flekman
Dec 20 2004, 02:13 PM
Hi khelbena,

can you post a log from HijackThis?

I attached a new version of the find.zip. Can you run that as well and the files it creates.
khelbena
Dec 20 2004, 04:46 PM
HEre is Hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 11:28:03 AM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\FacetWin\fwagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\System32\wuauclt.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\ntvdm.exe
C:\WINDOWS\system32\strings.exe
C:\WINDOWS\system32\find.exe
C:\Documents and Settings\Agent1\My Documents\downloads\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: strings.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: Domain =
O17 - HKLM\System\CS1\Services\Tcpip\..\{1346E3B4-F606-48D5-B2C2-E5A5CB2B2579}: NameServer =


HERE is the log from the new find.bat file

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Agent1\My Documents\downloads\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/09/2004 04:22 PM <DIR> dllcache
11/19/2002 09:22 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 36,254,752,768 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

12/09/2004 04:22 PM <DIR> dllcache
09/17/2001 09:42 AM 488 WindowsLogon.manifest
09/17/2001 09:42 AM 488 logonui.exe.manifest
09/17/2001 09:42 AM 749 cdplayer.exe.manifest
09/17/2001 09:42 AM 749 ncpa.cpl.manifest
09/17/2001 09:42 AM 749 nwc.cpl.manifest
09/17/2001 09:42 AM 749 sapi.cpl.manifest
09/17/2001 09:42 AM 749 wuaucpl.cpl.manifest
08/18/2001 09:00 AM 2 desktop.ini
8 File(s) 4,723 bytes
1 Dir(s) 36,254,752,768 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

08/18/2001 09:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 36,254,744,576 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"


I re-ran the one for the qoologic and it creates the win.txt andstart.txt files but they are blank.
Bobbi Flekman
Dec 20 2004, 06:33 PM
Hi khelbena,

There is a newer version (1.99) of HijackThis than what you are using. Please get the new version from one of these addresses.
http://209.133.47.12/~merijn/files/HijackThis.exe
http://www.mjc1.com/mirror/hjt/
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
http://www.downloads.subratam.org/hijackthis.zip

Okay! It seems that you're clean. This new version of VX2/Look2Me is known to mess with your computer. Is there anything out of the ordinary? Can you print? Create a file and delete it. Is it going into the recycle bin? If not; launch Notepad, and copy/paste the box below into a new text file. Save it as RepBin.bat and save it on your Desktop.

CODE
attrib -h -s c:\recycler
del c:\recycler


Locate RepBin.bat on your Desktop and double-click on it.
Close the window and restart your computer.

Anything else?
khelbena
Dec 20 2004, 08:45 PM
ok thanks for the help and the tp on updated hijack this.. I have another machine which is doing some weird thngs, not opening programs, wont let me open start menu after af ew min of beng logged in, I will start us a new thread and post appropriate logs
khelbena
Dec 20 2004, 09:05 PM
OK Bobbi this is the log from a machine that is not letting me open programs and or start menu, it has popups out the wazzu. I have removed many programs via add/remove/spybot/adaware. Here is the hijack this log after I have removed the first round of obvious stuff. Will also post the results of the find.bat file you sent me as well just in case. The machine I think has something on it that was "eating CPU time" and causeing everything else to be killed. It is a little better since I have done the cleaning can you take a look and see if I missed anything or if that nast new vx2 variant is present

here is HiJack thiS

Logfile of HijackThis v1.99.0
Scan saved at 3:50:44 PM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Windows\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\FacetWin\fwagent.exe
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\Windows\System32\wuauclt.exe
C:\Documents and Settings\agent4\My Documents\New Folder\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAF92E91-7EC4-4B4C-B784-79848EC03E26}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{DAF92E91-7EC4-4B4C-B784-79848EC03E26}: NameServer =
O23 - Service: Altiris Client Service - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


here is log from find.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\agent4\My Documents\New Folder\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is Compaq
Volume Serial Number is 3372-56BA

Directory of C:\Windows\System32

12/08/2004 10:43 AM 389,120 ?hkdsk.exe
10/18/2004 10:01 AM <DIR> dllcache
11/19/2002 03:22 AM <DIR> Microsoft
1 File(s) 389,120 bytes
2 Dir(s) 35,129,049,088 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Compaq
Volume Serial Number is 3372-56BA

Directory of C:\Windows\System32

12/08/2004 10:43 AM 389,120 ?hkdsk.exe
10/18/2004 10:01 AM <DIR> dllcache
09/16/2001 03:42 PM 488 logonui.exe.manifest
09/16/2001 03:42 PM 488 WindowsLogon.manifest
09/16/2001 03:42 PM 749 nwc.cpl.manifest
09/16/2001 03:42 PM 749 sapi.cpl.manifest
09/16/2001 03:42 PM 749 ncpa.cpl.manifest
09/16/2001 03:42 PM 749 wuaucpl.cpl.manifest
09/16/2001 03:42 PM 749 cdplayer.exe.manifest
08/17/2001 03:00 PM 2 desktop.ini
9 File(s) 393,843 bytes
1 Dir(s) 35,129,049,088 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Compaq
Volume Serial Number is 3372-56BA

Directory of C:\Windows\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is Compaq
Volume Serial Number is 3372-56BA

Directory of C:\Windows\System32

06/10/2004 02:51 PM 8,350,720 SET1E.tmp
06/10/2004 02:51 PM 8,350,720 SET9E.tmp
06/10/2004 02:51 PM 8,350,720 SET18.tmp
06/08/2004 05:02 PM 306,688 SET96.tmp
06/08/2004 05:02 PM 306,688 SET15.tmp
06/08/2004 05:02 PM 172,544 SET95.tmp
04/16/2004 07:56 PM 676,864 SET20.tmp
04/16/2004 07:56 PM 676,864 SET41.tmp
04/16/2004 07:56 PM 676,864 SET1A.tmp
04/16/2004 07:56 PM 676,864 SET48.tmp
04/16/2004 07:56 PM 676,864 SETA0.tmp
04/08/2004 01:12 PM 406,528 SET1F.tmp
04/08/2004 01:12 PM 406,528 SET19.tmp
04/08/2004 01:12 PM 406,528 SET9F.tmp
12/16/2003 09:40 AM 117,308 SET43.tmp
12/16/2003 09:40 AM 198,331 SET44.tmp
12/15/2003 12:07 AM 118,784 SET56.tmp
12/15/2003 12:06 AM 323,584 SET49.tmp
12/15/2003 12:05 AM 909,312 SET57.tmp
12/15/2003 12:04 AM 151,552 SET50.tmp
10/06/2003 08:30 PM 1,630,208 SET37.tmp
10/06/2003 08:30 PM 281,088 SET3A.tmp
08/28/2002 09:40 AM 99,840 _000011_.tmp
08/17/2001 03:00 PM 2,577 CONFIG.TMP
24 File(s) 34,274,568 bytes
0 Dir(s) 35,129,036,800 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
hkdsk~1.exe Wed Dec 8 2004 10:43:32a ..SHR 389,120 380.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 389,120 bytes 380.00 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChkAdmin"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"IgfxTray"="C:\\Windows\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\Windows\\System32\\hkcmd.exe"
"HPDJ Taskbar Utility"="C:\\Windows\\System32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"CSISetup"="S:\\PCSetup\\disk1\\setup.exe -fdailysetup.ins"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Let me know if you see anything that I need to correct. THanks for all your help
Bobbi Flekman
Dec 21 2004, 12:01 PM
Hi khelbena,

I gather that everything is okay now?

If so, we have to do some clean up...

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

CODE
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{DDFFA75A-E81D-4454-89FC-B9FD0631E726}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop]
"Taskbar"=-
"Toolbars"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"User Agent"="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Bobbi Flekman
Dec 21 2004, 12:32 PM
Hi khelbena,

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

CODE
dir C:\Windows\System32\?hkdsk.exe /a h > files.txt
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

The log is clean. There's only one possible problem, which is why I gave you this batch thingy to do.
khelbena
Dec 21 2004, 01:45 PM
ok here are the results



Volume in drive C is Compaq
Volume Serial Number is 3372-56BA

Directory of C:\Windows\System32

08/17/2001 03:00 PM 11,776 chkdsk.exe
12/08/2004 10:43 AM 389,120 ?hkdsk.exe
2 File(s) 400,896 bytes

Directory of C:\Documents and Settings\agent4\Desktop
Bobbi Flekman
Dec 21 2004, 02:30 PM
Ok, last thing to do.

Open Windows Explorer, navigate to the folder "C:\Windows\System32" and find the file "?hkdsk.exe". Delete this file. Take care that you do not delete chkdsk.exe. The file you want to delete is dated 12/08/2004 and is 389,120 bytes in size.

That's all.
khelbena
Dec 21 2004, 03:50 PM
ok hope i did this correct.

there was no file named ?hkdsk.exe in C:\windows\system32 folder.

there were 3 entries in the regiestry which I deleted. they were in the HKLM/~windows\run key, and also a bunch search assistant key and a HKCU\~windows\run key. I deleted these then I did a search for the file in sytem32 again and it still wasn't there as llisted. but there were 2 chkdsk.exe listed one was 12K and the other was 380K i deleted the 380K and rebooted reran the find.bat file and the log only shows the chkdsk.exe file now. looks clean to me. let me know if you want any logs posted or what not.


Thanks for the help you are a life saver...
Bobbi Flekman
Dec 22 2004, 11:25 AM
Hi khelbena,

QUOTE
but there were 2 chkdsk.exe listed one was 12K and the other was 380K i deleted the 380K and rebooted reran the find.bat file and the log only shows the chkdsk.exe file now.  looks clean to me. let me know if you want any logs posted or what not.
You did good :thumb: That was exactly why I gave the size and date!

Happy surfing!

This log is clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....
khelbena
Jan 4 2005, 03:21 PM
OK i have tried to clean this pc up and not sure if I got it all out posting Hijack this log and find.bat logs

Logfile of HijackThis v1.99.0
Scan saved at 10:12:44 AM, on 1/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\FacetWin\fwagent.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\System32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Windows\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Windows\System32\wuauclt.exe
C:\spywaretools\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 2.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.csic.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.meadroid.com/scriptx/ScriptX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{363B7228-2048-42F5-95A2-A74680ECF29B}: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{363B7228-2048-42F5-95A2-A74680ECF29B}: NameServer =
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\WinVNC.exe


here is find.bat log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\spywaretools\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

01/04/2005 09:53 AM <DIR> dllcache
12/22/2004 02:19 PM 389,120 w?nlogon.exe
12/15/2004 06:09 PM 512 Nxzo.tu3
12/15/2004 06:09 PM 233,565 EpbbR84Y.exe
12/15/2004 06:09 PM 233,565 Iqjlow.exe
12/15/2004 06:09 PM 233,565 Qxqi8.exe
12/15/2004 06:09 PM 233,565 Evwx3.exe
12/15/2004 06:09 PM 233,565 Uynb15q.exe
12/15/2004 06:09 PM 233,565 Mwt3HC.exe
08/12/2003 08:03 AM <DIR> Microsoft
08/29/2002 03:41 AM 401,462 msvcp60.dll
08/18/2001 09:00 AM 9,728 regsvr32.exe
10 File(s) 2,202,212 bytes
2 Dir(s) 34,291,937,280 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

01/04/2005 09:53 AM <DIR> dllcache
12/22/2004 02:19 PM 389,120 w?nlogon.exe
12/15/2004 06:09 PM 512 Nxzo.tu3
12/15/2004 06:09 PM 233,565 EpbbR84Y.exe
12/15/2004 06:09 PM 233,565 Iqjlow.exe
12/15/2004 06:09 PM 233,565 Qxqi8.exe
12/15/2004 06:09 PM 233,565 Evwx3.exe
12/15/2004 06:09 PM 233,565 Uynb15q.exe
12/15/2004 06:09 PM 233,565 Mwt3HC.exe
08/29/2002 03:41 AM 401,462 msvcp60.dll
09/17/2001 09:42 AM 488 logonui.exe.manifest
09/17/2001 09:42 AM 488 WindowsLogon.manifest
09/17/2001 09:42 AM 749 wuaucpl.cpl.manifest
09/17/2001 09:42 AM 749 sapi.cpl.manifest
09/17/2001 09:42 AM 749 nwc.cpl.manifest
09/17/2001 09:42 AM 749 ncpa.cpl.manifest
09/17/2001 09:42 AM 749 cdplayer.exe.manifest
08/18/2001 09:00 AM 2 desktop.ini
08/18/2001 09:00 AM 9,728 regsvr32.exe
18 File(s) 2,206,935 bytes
1 Dir(s) 34,291,933,184 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

08/18/2001 09:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 34,291,929,088 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
epbbr84y.exe Wed Dec 15 2004 6:09:12p ..SH. 233,565 228.09 K
evwx3.exe Wed Dec 15 2004 6:09:10p ..SH. 233,565 228.09 K
iqjlow.exe Wed Dec 15 2004 6:09:10p ..SH. 233,565 228.09 K
mwt3hc.exe Wed Dec 15 2004 6:09:10p ..SH. 233,565 228.09 K
nxzo.tu3 Wed Dec 15 2004 6:09:12p ..SH. 512 0.50 K
qxqi8.exe Wed Dec 15 2004 6:09:10p ..SH. 233,565 228.09 K
uynb15q.exe Wed Dec 15 2004 6:09:10p ..SH. 233,565 228.09 K
wnlogo~1.exe Wed Dec 22 2004 2:19:40p ..SHR 389,120 380.00 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,791,022 bytes 1.71 M

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"ChkAdmin"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"HPDJ Taskbar Utility"="C:\\Windows\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"CSISetup"="S:\\PCSetup\\disk1\\setup.exe -fdailysetup.ins"
"IgfxTray"="C:\\Windows\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\Windows\\System32\\hkcmd.exe"
"WinVNC"="\"C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


you guys are great thanks for the great support you provide -- keep up the good work and have a Happy New Year..

Thanks Mike
LoPhatPhuud
Jan 4 2005, 09:24 PM
Your log looks clean, but I would use Killbox to remove some leftovers in the system folder.


Download Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Reboot in Safe Mode

This will take a little bit to do so keep track and dont miss any files.

Open Killbox, click the option Delete on Reboot

You'll see the path to the filename appear in the bottom box.

copy & paste 1 at a time starting.

C:\WINDOWS\SYSTEM32\epbbr84y.exe

into the top box

Click the red X, Say yes to the message box that comes up, then say No to the next box asking you to reboot.

This is important, coz if you reboot before you are finished entering all the files, you will have to start over again.

Do the same for this entire list

C:\WINDOWS\SYSTEM32\epbbr84y.exe
C:\WINDOWS\SYSTEM32\evwx3.exe
C:\WINDOWS\SYSTEM32\iqjlow.exe
C:\WINDOWS\SYSTEM32\mwt3hc.exe
C:\WINDOWS\SYSTEM32\qxqi8.exe
C:\WINDOWS\SYSTEM32\uynb15q.exe

when these are all done, also add(just in case)

C:\WINDOWS\SYSTEM32\guard.tmp

Ok so a recap of this

1.)Copy a path & file (whole line) from the list here, and paste it to the first line(of killbox)
2.)Click the Red X for each file you enter
3.)Say "Yes" to first message, and "No" to reboot now(next message)
4.)Repeat for the entire list, and lastly enter C:\WINDOWS\SYSTEM32\guard.tmp as the last file


Hopefully that will clear pretty much everything for files, do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.
khelbena
Jan 5 2005, 02:42 PM
ok deleted files here is new find.bat log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\spywaretools\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

01/04/2005 09:53 AM <DIR> dllcache
12/22/2004 02:19 PM 389,120 w?nlogon.exe
12/15/2004 06:09 PM 512 Nxzo.tu3
08/12/2003 08:03 AM <DIR> Microsoft
08/29/2002 03:41 AM 401,462 msvcp60.dll
08/18/2001 09:00 AM 9,728 regsvr32.exe
4 File(s) 800,822 bytes
2 Dir(s) 34,290,479,104 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

01/04/2005 09:53 AM <DIR> dllcache
12/22/2004 02:19 PM 389,120 w?nlogon.exe
12/15/2004 06:09 PM 512 Nxzo.tu3
08/29/2002 03:41 AM 401,462 msvcp60.dll
09/17/2001 09:42 AM 488 WindowsLogon.manifest
09/17/2001 09:42 AM 488 logonui.exe.manifest
09/17/2001 09:42 AM 749 wuaucpl.cpl.manifest
09/17/2001 09:42 AM 749 nwc.cpl.manifest
09/17/2001 09:42 AM 749 ncpa.cpl.manifest
09/17/2001 09:42 AM 749 sapi.cpl.manifest
09/17/2001 09:42 AM 749 cdplayer.exe.manifest
08/18/2001 09:00 AM 2 desktop.ini
08/18/2001 09:00 AM 9,728 regsvr32.exe
12 File(s) 805,545 bytes
1 Dir(s) 34,290,475,008 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 80C3-6C79

Directory of C:\Windows\System32

08/18/2001 09:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 34,290,470,912 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
nxzo.tu3 Wed Dec 15 2004 6:09:12p ..SH. 512 0.50 K
wnlogo~1.exe Wed Dec 22 2004 2:19:40p ..SHR 389,120 380.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 389,632 bytes 380.50 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"ChkAdmin"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"HPDJ Taskbar Utility"="C:\\Windows\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"CSISetup"="S:\\PCSetup\\disk1\\setup.exe -fdailysetup.ins"
"IgfxTray"="C:\\Windows\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\Windows\\System32\\hkcmd.exe"
"WinVNC"="\"C:\\Program Files\\RealVNC\\WinVNC\\WinVNC.exe\" -servicehelper"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"
"PopUpKiller"="C:\\Program Files\\PopUp Killer\\PopUpKiller.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


The hijack this log look same as it did on last post so i wont repost unless you need it. Thanks for the help and let me know if I need to delete anything else.
khelbena
Jan 21 2005, 04:20 PM
here is find.bat log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\agent1\My Documents\agency support stuff\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is Compaq
Volume Serial Number is 14A7-8333

Directory of C:\Windows\System32

01/20/2005 07:04 PM 846 Zpuw4DJ.tr4
01/11/2005 09:15 AM 401,408 ??rvices.exe
12/15/2004 04:42 PM <DIR> dllcache
12/11/2004 11:36 PM 4,402 smdgo.txt
11/23/2004 03:44 PM 68,096 mnmqc.dll
11/19/2002 03:22 AM <DIR> Microsoft
4 File(s) 474,752 bytes
2 Dir(s) 35,015,430,144 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Compaq
Volume Serial Number is 14A7-8333

Directory of C:\Windows\System32

01/20/2005 07:04 PM 846 Zpuw4DJ.tr4
01/20/2005 07:04 PM 106 rn.dll
01/11/2005 09:15 AM 401,408 ??rvices.exe
12/15/2004 04:42 PM <DIR> dllcache
12/11/2004 11:36 PM 4,402 smdgo.txt
11/23/2004 03:44 PM 68,096 mnmqc.dll
10/22/2003 12:13 PM 1,100 userinit.dat
10/11/2003 08:21 AM 677 ou7k9ov0.tmp
10/11/2003 08:11 AM 50,588 o78kdov0.tmp
09/16/2001 03:42 PM 488 WindowsLogon.manifest
09/16/2001 03:42 PM 488 logonui.exe.manifest
09/16/2001 03:42 PM 749 sapi.cpl.manifest
09/16/2001 03:42 PM 749 nwc.cpl.manifest
09/16/2001 03:42 PM 749 wuaucpl.cpl.manifest
09/16/2001 03:42 PM 749 cdplayer.exe.manifest
09/16/2001 03:42 PM 749 ncpa.cpl.manifest
08/17/2001 03:00 PM 2 desktop.ini
16 File(s) 531,946 bytes
1 Dir(s) 35,015,426,048 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Compaq
Volume Serial Number is 14A7-8333

Directory of C:\Windows\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is Compaq
Volume Serial Number is 14A7-8333

Directory of C:\Windows\System32

10/11/2003 08:21 AM 677 ou7k9ov0.tmp
10/11/2003 08:11 AM 50,588 o78kdov0.tmp
08/17/2001 03:00 PM 2,577 CONFIG.TMP
3 File(s) 53,842 bytes
0 Dir(s) 35,015,421,952 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
mnmqc.dll Tue Nov 23 2004 3:44:16p A.SH. 68,096 66.50 K
rn.dll Thu Jan 20 2005 7:04:04p A..H. 106 0.10 K
smdgo.txt Sat Dec 11 2004 11:36:50p A.SH. 4,402 4.30 K
zpuw4dj.tr4 Thu Jan 20 2005 7:04:48p ..SH. 846 0.82 K
rvices~1.exe Tue Jan 11 2005 9:15:50a ..SHR 401,408 392.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 474,858 bytes 463.73 K

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\\Program Files\\COMPAQ\\Easy Access Button Support\\StartEAK.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPDJ Taskbar Utility"="C:\\Windows\\System32\\spool\\drivers\\w32x86\\3\\hpztsb06.exe"
"CSISetup"="S:\\PCSetup\\disk1\\setup.exe -fdailysetup.ins"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"WinPatrol"="\"C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\WinPatrol.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



here is hijackthis log

Logfile of HijackThis v1.99.0
Scan saved at 11:17:54 AM, on 1/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Windows\System32\bidispl2.exe
C:\Documents and Settings\agent1\Application Data\mpco.exe
C:\Windows\System32\wuauclt.exe
C:\Windows\System32\??rvices.exe
C:\FacetWin\fwagent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Documents and Settings\agent1\My Documents\agency support stuff\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [CSISetup] S:\PCSetup\disk1\setup.exe -fdailysetup.ins
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: FacetWin Agent.lnk = C:\FacetWin\fwagent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.csic.com/Scriptx/ScriptX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37B2FD34-1C42-4EC9-97D2-3B7C0C451BB6}: Domain = csic.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{37B2FD34-1C42-4EC9-97D2-3B7C0C451BB6}: NameServer = 65.196.134.14,65.196.134.16
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent - Compaq Computer Corporation - C:\Windows\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel® NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

please let me know what to remove thanks
LoPhatPhuud
Jan 22 2005, 12:14 AM
khelbena

I have merged all your posts into one thread. Please keep all posts in this thread until this issue is resolved. I will notify Bobbi that there a post waiting.

Also, please do not run custom programs, batches, etc., such as Find-It, without specific instructions form one us. It will only delay the fixing of your computer if the information is outdated or not needed.
Bobbi Flekman
Jan 22 2005, 10:39 AM
Hi khelbena,

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

CODE
dir C:\Windows\System32\??rvices.exe /a h > files.txt
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.

Have you done what I said? I can see you didn't update to SP-2!!!

Download http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'.

Check your computer with the following free anti-virus/anti-trojan products.

Housecall Anti Virus Panda Anti Virus Trojan Scan

And, here's the link to McAfee AVERT Stinger and instructions for use.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.

Please enable everything you have turned off in 'System Configuration Utility' (MSConfig.exe). This way your system will not hide any potential malware and hijackers.

Reboot and post a fresh log.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.