Jump to content


Photo

Could someone please help me...


  • Please log in to reply
9 replies to this topic

#1 Metro9

Metro9

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 26 June 2004 - 06:00 PM

Could someone please help me in removing the files list below. I used the hijackthis to scan for processes. Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 6:48:23 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\documents and settings\keith buckholz\local settings\temp\Z.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\PROGRA~1\Greattest\Anti Tool Bat.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\PROGRA~1\ezula\mmod.exe
C:\WINDOWS\System32\Hvgkm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\PqaY5o.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\System32\quaemote.exe
C:\WINDOWS\System32\scksie.exe
C:\Documents and Settings\Keith Buckholz\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft...=ie&ar=iesearch
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\winex\v9\winex.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v9\winex.EXE" /H
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [SUPPORT ARMY] C:\PROGRA~1\Greattest\Anti Tool Bat.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [573QQTM3GRAQ4T] C:\WINDOWS\System32\GnsDj.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37563.386087963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab


Thank you again.

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 26 June 2004 - 11:03 PM

Hello Metro9,

There are a few infections showing, so this may take a few trys.


First download the PeperFix.exe, a tool made by Option^Explicit, from here:
http://downloads.sub...rg/PeperFix.exe

Click on the PeperFix.exe to launch it.
Click the Find and Fix button.

You will be prompted to reboot.

Reboot and it will delete the files.
_______

Now download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of inetadpt.dll (and nothing else) , and move them to the "Remove" pane.

Then click Finish.
_______

Next, click Start, Control Panel, Add or Remove Programs, and find:

"Window Search" And "WinTools" and remove (uninstall) them.
You will be given a security code to insert, do so
And reboot when done.

Also, follow this link to remove PeopleOnPage (POP) while you're in there.
http://www.pchell.co...pleonpage.shtml
______

Please download Spybot: Search and Destroy from http://www.safer-net...g.org/index.php
Check for Updates first, download ALL Updates and Do a Scan.
When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Next, download AdAware, Another good Antispyware Program From http://www.lavasoftu...pport/download/.
Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan.

Before you do a Scan, set up AdAware by clicking the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done.

________

Then go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for this:

Anti Tool Bat.exe

Then close Task Manager.

_______

Next, open HijackThis, click Scan, then put a check next to the following entries:
(some may not be here after doing the above)

O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\winex\v9\winex.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [WindowEnhancer] "C:\Program Files\winex\v9\winex.EXE" /H
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [SUPPORT ARMY] C:\PROGRA~1\Greattest\Anti Tool Bat.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [573QQTM3GRAQ4T] C:\WINDOWS\System32\GnsDj.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe


Now, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

Reboot to Safe Mode (tap F8 while restarting) and delete these Folders:
(again, some may not be here)

C:\Program Files\SEP\
C:\Program Files\DownloadWare\
C:\Program Files\winex\
C:\PROGRA~1\Greattest\
C:\Program Files\Common files\WinTools\
C:\Program Files\AutoUpdate\
C:\Program Files\Common Files\Dpi\
C:\Program Files\Common files\updater\
C:\WINDOWS\System32\IEDriver\

And these Files:

C:\WINDOWS\System32\stlbdist.DLL
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\GnsDj.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\bxxs5.dll,DllRun

You may have to show hidden files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

After you do all that, reboot normally, and please post a new HJT log.

#3 Metro9

Metro9

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 July 2004 - 08:37 PM

Sorry for the late response. I have completed everything up until restarting in safe mode. How do i choose which programs to delete? I do not know how to select programs. When restarting in safe mode I can only select whether or not to start up in safe mode. I will keep trying until someone can offer me a little advice.

Thanks.

#4 Metro9

Metro9

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 July 2004 - 08:39 PM

Here is my latest scan. Thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 9:38:15 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\Keith Buckholz\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {E59FC7A9-B6CA-4AFF-937E-239BB4906A4D} - C:\WINDOWS\System32\jplfic.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...37563.386087963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#5 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 06 July 2004 - 08:52 PM

Hi Metro9,

That is a nasty CoolWeb infection that you have. Please be patient till we get back to you.

There is a newer version of HijackThis out now. Please get it here and unzip it to a permanent folder, then post a new HJT log.

#6 Metro9

Metro9

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 July 2004 - 08:22 AM

Logfile of HijackThis v1.98.0
Scan saved at 9:22:15 AM, on 7/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\GREATT~1\Anti Tool Bat.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Keith Buckholz\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KEITHB~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {FF84FB5B-CEDE-49C1-800C-7939D105FF12} - C:\WINDOWS\System32\ilcaia.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [SUPPORT ARMY] C:\PROGRA~1\GREATT~1\Anti Tool Bat.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: (no name) - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\TD.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\TD.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {4F66A429-DBB1-4A9D-BBD4-48C6982D6B21} - (no file) (HKCU)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O18 - Filter: text/html - {B00F82E9-1A5C-4204-BC60-83355ABB3974} - C:\WINDOWS\System32\ilcaia.dll
O18 - Filter: text/plain - {B00F82E9-1A5C-4204-BC60-83355ABB3974} - C:\WINDOWS\System32\ilcaia.dll

#7 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 10 July 2004 - 11:40 AM

Hi Metro9,

As stated, this is one of the nasty infections and can be tricky, to say the least, to remove.
There is a tool called sphjfix that claims to remove it,
Download and unzip the application from here:
http://www.rokop-sec...op=getit&lid=59
Follow the description for what to do.

After the tool is done, re-run CWShredder, and Ad-aware. Check them both for updates first.

Then run http://www.pandasoft...n_principal.htm

Please post a new HJT log, and let us know if it worked.
______

The perfered method would be to Download and install :

"FINDnFIX.exe" from http://freeatlast100...om/FINDnFIX.exe or http://downloads.sub...rg/FINDnFIX.exe

Run the "!LOG!.bat" file, wait for the final output (log.txt)
Then post the results here..

#8 Metro9

Metro9

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 July 2004 - 11:18 PM

Logfile of HijackThis v1.98.0
Scan saved at 12:17:39 AM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Documents and Settings\Keith Buckholz\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {4F66A429-DBB1-4A9D-BBD4-48C6982D6B21} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\swprv326i.dll

#9 Metro9

Metro9

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 July 2004 - 12:04 AM

The results from FINDnFIX are very long, here they are:


»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»»
Due to errors on various message boards I made some changes.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
If you make a mistake or use the wrong guidance, it is completely
your responsibility and the helper that assists you.
If you are not sure about the nature of the file or how
to proceed, I suggest you research it first before attempting
to remove any *unknown file on your own.
*For Helpers and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s)
6.0.2800.1106 SP1-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is FAT32.
C: is not dirty.

Sun 07/11/2004
1:00am up 0 days, 0:51

»»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»»

Scanning for file(s)...
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»» (*1*) »»»»» .........
»»Locked or 'Suspect' file(s) found...


»»»»» (*2*) »»»»»........
**File C:\FINDnFIX\LIST.TXT

»»»»» (*3*) »»»»»........

C:\WINDOWS\SYSTEM32\
kjcom.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
varsion.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
rvocurs.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mfr.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
otecli32.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fs20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
slc_os.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mnrdo20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fk20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mnrecr40.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fw20enu.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
bfotvid.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
sgc_os.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fo20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mkrdo20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mustdfmt.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fc20enu.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
ocesvr32.dll Mon Jun 14 2004 8:40:42p ..SHR 316,776 309.35 K
bzotvid.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
bmotvid.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
oyesvr32.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K
la32.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K
ff20enu.dll Sun Jul 4 2004 3:17:18p ..SHR 320,872 313.35 K
mwrdo20.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K
kqcom.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K

25 items found: 25 files (25 H/S), 0 directories.
Total of file sizes: 7,939,880 bytes 7.57 M

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
kjcom.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
varsion.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
rvocurs.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mfr.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
otecli32.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fs20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
slc_os.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mnrdo20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fk20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mnrecr40.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fw20enu.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
bfotvid.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
sgc_os.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fo20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mkrdo20.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
mustdfmt.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
fc20enu.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
ocesvr32.dll Mon Jun 14 2004 8:40:42p ..SHR 316,776 309.35 K
bzotvid.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
bmotvid.dll Mon Jun 14 2004 8:40:42p A.SHR 316,776 309.35 K
oyesvr32.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K
la32.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K
ff20enu.dll Sun Jul 4 2004 3:17:18p ..SHR 320,872 313.35 K
mwrdo20.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K
kqcom.dll Sun Jul 4 2004 3:17:18p A.SHR 320,872 313.35 K

25 items found: 25 files, 0 directories.
Total of file sizes: 7,939,880 bytes 7.57 M

»»»»» (*4*) »»»»».........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\KJCOM.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\VARSION.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\RVOCURS.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MFR.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\OTECLI32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FS20.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SLC_OS.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MNRDO20.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FK20.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MNRECR40.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FW20ENU.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\BFOTVID.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\SGC_OS.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FO20.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MKRDO20.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MUSTDFMT.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FC20ENU.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\OCESVR32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\BZOTVID.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\BMOTVID.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\OYESVR32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\LA32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\FF20ENU.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\MWRDO20.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\KQCOM.DLL

»»»»»(*5*)»»»»»
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
»»»»»Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


»»Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 516

»»Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ C:\\WINDOWS\\System32\\swprv326i.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = C:\WINDOWS\System32\swprv326i.dll
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!)
User is a member of group KEITH-IYC0QWT36\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»» Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


»»Notepad check....

C:\WINDOWS\
notepad.exe Sat Aug 18 2001 12:00:00p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Sat Aug 18 2001 12:00:00p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Sat Aug 18 2001 12:00:00p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-18-2001 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft® Windows® Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright © Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000


»»»»»»Backups created...»»»»»»
1:03am up 0 days, 0:54
Sun 07/11/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-11-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 323 07-11-2004 winkey.reg

C:\FINDNFIX\
JUNKXXX Sun Jul 11 2004 1:00:18a .D... <Dir>

1 item found: 0 files, 1 directory.

»»Performing string scan....
00001150: vk D f AppInit_
00001190:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ s w p r v 3
000011D0:2 6 i . d l l p vk UDeviceNotSelecte
00001210:dTimeout 1 5 P 9 0 vk ' z
00001250:GDIProcessHandleQuota" vk Spooler2 y e
00001290:s _ p 8 h vk 5swapdisk
000012D0: vk ( . TransmissionRetryTimeout p 8
00001310:h vk ' , USERProcessHandleQuota,
00001350:
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
fłAppInit_DLLsÖ?ęGø’’’C
--------------
--------------
C:\WINDOWS\System32\swprv326i.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\swprv326i.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 68 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\swprv326i.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 73 00 77 00 70 00 72 00 | m.3.2.\.s.w.p.r.
0030 76 00 33 00 32 00 36 00 69 00 2e 00 64 00 6c 00 | v.3.2.6.i...d.l.
0040 6c 00 00 00 | l...


#10 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 11 July 2004 - 08:32 PM

Hi Metro9,

Please put HJT in a permanent folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.
This will allow backups to be made and saved By hijackthis in case something goes wrong.
Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help.


Then go to start>Settings>Control Panel>Administrative Tools>Services Look for "WinTools for IE service" in the right pane.
If you find it, right click on it. Stop it by pressing the stop button. Then disable it by clicking on the startup type drop down and selecting "Disable".

Then go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these:

WToolsA.exe
WToolsS.exe
WSup.exe

Then close Task Manager.

Now open HijackThis, click Scan, then put a check next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

O20 - AppInit_DLLs: C:\WINDOWS\System32\swprv326i.dll



Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Then, reboot to safe mode (tap F8 while restarting) and delete these folders located in C:\Program Files\

C:\PROGRA~1\Toolbar\
C:\Program Files\Common Files\WinTools\
C:\Program Files\\MProcessor\

And this file:

C:\WINDOWS\System32\swprv326i.dll

You may have to show hidden files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, reboot normally and please post a new HJT log, and let us know if you have any problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button