Jump to content


Photo

Hijack this log help


  • This topic is locked This topic is locked
32 replies to this topic

#1 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 11:08 AM

please help with hijack this log!

#2 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 18 July 2004 - 11:13 AM

Logfile of HijackThis v1.97.7
Scan saved at 10:42:30 AM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Evidence Eliminator\ee.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\hijackthis1977[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\User\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.r5.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8764CA45-2269-4396-A4CC-F150F6956858} - C:\WINDOWS\System32\iechpga.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [W0lxD.exe] c:\documents and settings\user\local settings\temp\W0lxD.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [msdbrptr949i.exe] C:\WINDOWS\System32\msdbrptr949i.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\User\Application Data\rncr.exe
O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\ZeroSpyware Lite.exe" -STARTUP
O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" -STARTUP
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7584.8022916667
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#3 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 18 July 2004 - 12:17 PM

Click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done.

Click here to download Spybot Search & Destroy - install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done.

Click here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#4 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 July 2004 - 04:39 PM

Daemon,
Thank you, but that list is from mtride162s log. Could you please check mine. thanks

#5 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 19 July 2004 - 04:50 PM

Daemon,
I tried FindnFix as you suggested but it says it cannot find Notepad.exe and requests executable file to use instead. Help!

#6 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 July 2004 - 12:10 AM

HELP!

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 July 2004 - 01:22 AM

Sorry about that - I've split his posts out of your thread. Click here to download xphidden.zip (so you can see hidden files and folders). Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Then using Explorer, navigate to C:\Windows\System32\dllcache

You should see a version of notepad.exe in there, 65KB in size. Copy it to both these places:

C:\Windows\
C:\Windows\System32\

Then try again.
Posted Image

#8 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 July 2004 - 09:44 AM

Hey Daemon, it worked, thanks!
heres the log.

╗╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗╗╗
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder
and is the destination for the file to be moved..
-*Previous directions will no longer work...
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗ ╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

Tue 20 Jul 04 09:37:18
9:37am up 0 days, 18:34

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** Note! ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
The list will produce a small database of files that will match certain criteria.
You must know how to ID the file based on the filters provided in
the scan, as not all the files flagged are bad.
Ex: read only files, s/h files, last modified date. size, etc.
The filters provided should help narrow down the list, and hopefully
pinpoint the culprit.
Along with that,registry scan logged at the end should match the
corresponding file(s) listed.
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Unless the file match the entire criteria, it should not be pointed to remove!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
*For *Helpers/Mods and/or users that are not familiar with any of the
items on the scan results- I recommend using an alternative, once
you know what to look for!
╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***(*modified 7/20)╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

╗╗╗*╗╗╗*Boards that are not personally authorised by me are not allowed to use this fix!╗╗╗*╗╗╗*

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\HLP.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLP.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
HLP.DLL Can't Open!
HLPLNJ.DLL Can't Open!
IMAGEHLP.DLL Can't Open!
IPNATHLP.DLL Can't Open!
RASADHLP.DLL Can't Open!
WDMNDLL.DLL Can't Open!
XOLEHLP.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
hlp.dll Thu Jul 1 2004 11:46:56a A...R 57,344 56.00 K
hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K
wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

11 items found: 11 files (8 H/S), 0 directories.
Total of file sizes: 2,706,240 bytes 2.58 M

unknown/hidden files...

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

8 items found: 8 files, 0 directories.
Total of file sizes: 2,534,208 bytes 2.41 M

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

╗╗╗╗╗(*5*)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... HLP.DLL .....57344 01.07.2004
» Access denied « ..................... HLPLNJ.DLL .....57344 28.06.2004
» Access denied « ..................... IMAGEHLP.DLL ....126976 29.08.2002
» Access denied « ..................... IPNATHLP.DLL ....439808 29.03.2004
» Access denied « ..................... RASADHLP.DLL ......6144 18.08.2001
» Access denied « ..................... WDMNDLL.DLL .....57344 25.06.2004
» Access denied « ..................... XOLEHLP.DLL ......9728 18.08.2001

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\HLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\HLPLNJ.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\IPNATHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\RASADHLP.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\WDMNDLL.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\XOLEHLP.DLL

╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗Search by size...


C:\WINDOWS\SYSTEM32\
hlp.dll Thu Jul 1 2004 11:46:56a A...R 57,344 56.00 K
hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K
wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

3 items found: 3 files, 0 directories.
Total of file sizes: 172,032 bytes 168.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\HLP.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group YOUR-6KR4ZXLD90\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.


╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
9:39am up 0 days, 18:36
Tue 20 Jul 04 09:39:26

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-18-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-18-2004 winkey.reg
*Temp backups...
.
..
keyback2.hi_
winkey2.re_


C:\FINDNFIX\
JUNKXXX Sun Jul 18 2004 4:27:40p .D... <Dir>

1 item found: 0 files, 1 directory.

╗╗Performing string scan....
00001150: vk 8 f AppInit_DLLs G
00001190: C : \ W I N D O W S \ S y s t e m 3 2 \ h l p . d l l 5 7
000011D0:6 u . d l l l m p h vk UDeviceNo
00001210:tSelectedTimeout 1 5 P 9 0 vk '
00001250: zGDIProcessHandleQuota" vk Spooler2
00001290: y e s _ h @ p vk 5
000012D0:swapdisk vk 0 . TransmissionRetryTimeout h
00001310: @ p ( vk ' , USERProcessHandl
00001350:eQuota,
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:
00001590:
000015D0:

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠGĘ   C
--------------
--------------
$01180: AppInit_DLLs
$01207: UDeviceNotSelectedTimeout
$01257: zGDIProcessHandleQuota
$012F0: TransmissionRetryTimeout
$01340: USERProcessHandleQuota
--------------
--------------
C:\WINDOWS\System32\hlp.dll
--------------
--------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\hlp.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 | C.:.\.W.I.N.D.O.
0010 57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00 | W.S.\.S.y.s.t.e.
0020 6d 00 33 00 32 00 5c 00 68 00 6c 00 70 00 2e 00 | m.3.2.\.h.l.p...
0030 64 00 6c 00 6c 00 00 00 | d.l.l...


#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 July 2004 - 01:50 PM

Hmmm... there's quite a bit going on here.

In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the HLP.DLL
file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log2.txt - post it's contents in your next reply.

Also, click here to download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.
Posted Image

#10 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 July 2004 - 05:25 PM

Daemon, here is the log2.txt log

╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Tue 20 Jul 04 16:53:13
4:53pm up 0 days, 0:20

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or the right file was selected.

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
\\?\C:\WINDOWS\System32\HLPLNJ.DLL +++ File read error
C:\WINDOWS\System32\HLPLNJ.DLL +++ File read error

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT
HLPLNJ.DLL Can't Open!
WDMNDLL.DLL Can't Open!

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K
wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

10 items found: 10 files (8 H/S), 0 directories.
Total of file sizes: 2,648,896 bytes 2.52 M
Unknown/hidden files...

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

8 items found: 8 files, 0 directories.
Total of file sizes: 2,534,208 bytes 2.41 M

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
» Access denied « ..................... HLPLNJ.DLL .....57344 28.06.2004
» Access denied « ..................... WDMNDLL.DLL .....57344 25.06.2004

╗╗╗╗╗(*6*)╗╗╗╗╗
fgrep: can't open input C:\WINDOWS\SYSTEM32\HLPLNJ.DLL
fgrep: can't open input C:\WINDOWS\SYSTEM32\WDMNDLL.DLL

╗╗╗╗╗╗╗ Search by size...


C:\WINDOWS\SYSTEM32\
hlplnj.dll Mon Jun 28 2004 12:07:38p A...R 57,344 56.00 K
wdmndll.dll Fri Jun 25 2004 2:28:04p A...R 57,344 56.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 114,688 bytes 112.00 K

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\HLPLNJ.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\WDMNDLL.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

* result\\?\C:\FINDnFIX\junkxxx\HLP.222


C:\FINDNFIX\JUNKXXX\
hlp.222 Thu Jul 1 2004 11:46:56a A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\HLP.222

**File C:\FINDNFIX\JUNKXXX\HLP.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- HLP .222 0000E000 11:46.56 01/07/2004

--a-- W32i - - - - 57,344 07-01-2004 hlp.222
A C:\FINDnFIX\junkxxx\hlp.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
HLP.222 57344 07-01-104 11:46 c185b36f9969d3a6d2122ba7cbc02249
File: <C:\FINDnFIX\junkxxx\hlp.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




╗╗Permissions:
C:\FINDnFIX\junkxxx\hlp.222 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
YOUR-6KR4ZXLD90\User:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

File "C:\FINDnFIX\junkxxx\hlp.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

C:\FINDnFIX\junkxxx\hlp.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlp.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlp.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlp.222;BUILTIN\Users:RrRaRepX[I]


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: r o vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' , USERProcessHandleQuota, h X
000012D0: vk f AppInit_DLLs G )2q2v2|2 2 2
00001310: 3r3 3 3 3 3 3 3 4 4 4%4*494?4N4V4\4b4 4 4 4 4 4 4 4 4 4 4 4 4 5
00001350: 5s5{5 5 5 5 6 6 6 6 6 6 6 7?7P7]7p7 7 7 7 7&8H8P8X8 8 8 8 8+9>9
00001390:L9 9/:V: : : : : : : ; ; ; ; < < < =C=[= =N>b> > > > > > > ? ? ?
000013D0: ? ? 0 1#1 1 1 1 1 1 2-2r2 2 2 3)3Z3t3 3 3 324 4 4 4 405G5
00001410: 5 5 5^6 6B7U7 7!8>8Y8s8 829A9N9\9r9m: :E;\;s< < = = = > > ?O? ?
00001450: ? ? @ H 050F0o0 0 0 0 0 0 0 0 0 0 1 1 1$171<1Q1V1k1p1 1 1 1
00001490: 1 1 1 1 1 1 1 1 2 2 272E2L2_2x2 2 2 2 2 2 2 2 3 3 3 3"3(31383>3
000014D0:G3Z3m3s3}3 3 3 3 3 3 4 4 4#42494D4M4Y4r4 4 4 4 4 4 4 4 4 4 4 4 4
00001510: 5 5 5 5$505=5C5J5S5Y5z5 5 5 6P6V6_6d6i6 6 6 6 6 6 6 6 6 6!7 7*8
00001550:8

---------- NEWWIN.TXT
f¨AppInit_DLLsÍ?ŠG
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota
$012F0: AppInit_DLLs
$0169A: d0h0l0p0t0x0
--------------
--------------
No strings found.


d.... 0 Jul 18 16:27 .
d.... 0 Jul 18 16:27 ..
....a 57344 Jul 1 11:46 hlp.222

3 files found occupying 55296 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
HLP.222 : crc16=3138 crc32=D5C9FB2E

-------- C:\FINDNFIX\JUNKXXX\HLP.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
57,344 bytes 477,867 cps
Files: 1 Records: 13,139 Matches: 3 Elapsed Time: 00:00:00.12

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-18-:4 16:27|HLP 222 57344 A 07-01-:4 11:46
.. <dir> 07-18-:4 16:27|
---------------------------------------+---------------------------------------
3 files totaling 57344 bytes consuming 65024 bytes of disk space.
17299968 bytes available on Drive C: No volume label


#11 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 July 2004 - 05:39 PM

Here is the betterinternet log.
Thank you!
Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6do4svc.dll
C:\WINDOWS\System32\6jo4svc.dll
C:\WINDOWS\System32\6vo4svc.dll
C:\WINDOWS\System32\6xo4svc.dll
C:\WINDOWS\System32\abaamon.dll
C:\WINDOWS\System32\alledit.dll
C:\WINDOWS\System32\aqsc32.dll
C:\WINDOWS\System32\arctres.dll


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

#12 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 20 July 2004 - 10:53 PM

Daemon, Help Please. :wave:

#13 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 21 July 2004 - 04:15 AM

You have L2M which we can deal with later. I just need to confer on the two other 57344 byte files. I'll get back to you.
Posted Image

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 22 July 2004 - 09:00 AM

As Daemon is not around yet, but alerted me here, please
delete your current VX2finder.exe and re-download the latest
version for your variants:

http://www.downloads...Finder(126).exe

Scan, click on the save log, and save it somewhere.

Next, Restart your computer in
safe mode and try to locate the following files:
In -C:\WINDOWS\SYSTEM32\
HLPLNJ.DLL
WDMNDLL.DLL

And move both the same way into the-
C:\FINDnFIX\junkxxx< Subfolder!

(*Note:
If you get 'access deny' type prompt, RightClick
each file-one at- a time
Select Properties/Security and
Check the box to -> "allow inheritable permissions from parent...")

-When you have done that restart back in normal mode,
re-run the "RESTORE.bat"
once again and post the log2.txt file, along with the
new log saved by VX2finder
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 25 July 2004 - 10:59 PM

Freeatlast,
Sorry I was out of town for a few days. Here are the new logs.

╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Sun 25 Jul 04 22:37:32
10:37pm up 0 days, 0:14

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or the right file was selected.

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

8 items found: 8 files (8 H/S), 0 directories.
Total of file sizes: 2,534,208 bytes 2.41 M
Unknown/hidden files...

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

8 items found: 8 files, 0 directories.
Total of file sizes: 2,534,208 bytes 2.41 M

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL

╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

* result\\?\C:\FINDnFIX\junkxxx\HLPLNJ.222
* result\\?\C:\FINDnFIX\junkxxx\WDMNDLL.222


C:\FINDNFIX\JUNKXXX\
hlplnj.222 Mon Jun 28 2004 12:07:38p A.... 57,344 56.00 K
wdmndll.222 Fri Jun 25 2004 2:28:04p A.... 57,344 56.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 114,688 bytes 112.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\HLPLNJ.222
Sniffed -> C:\FINDNFIX\JUNKXXX\WDMNDLL.222

**File C:\FINDNFIX\JUNKXXX\HLPLNJ.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.
**File C:\FINDNFIX\JUNKXXX\WDMNDLL.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- HLPLNJ .222 0000E000 12:07.38 28/06/2004
A----- WDMNDLL .222 0000E000 14:28.04 25/06/2004

c:\findnfix\junkxxx\hlplnj.222
--a-- W32i - - - - 57,344 06-28-2004 hlplnj.222
c:\findnfix\junkxxx\wdmndll.222
--a-- W32i - - - - 57,344 06-25-2004 wdmndll.222
A C:\FINDnFIX\junkxxx\hlplnj.222
A C:\FINDnFIX\junkxxx\wdmndll.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
HLPLNJ.222 57344 06-28-104 12:07 c185b36f9969d3a6d2122ba7cbc02249
WDMNDLL.222 57344 06-25-104 14:28 c185b36f9969d3a6d2122ba7cbc02249
File: <C:\FINDnFIX\junkxxx\hlplnj.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249



File: <C:\FINDnFIX\junkxxx\wdmndll.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




╗╗Permissions:
C:\FINDnFIX\junkxxx\hlplnj.222 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
YOUR-6KR4ZXLD90\User:F
BUILTIN\Users:R

C:\FINDnFIX\junkxxx\wdmndll.222 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
YOUR-6KR4ZXLD90\User:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

File "C:\FINDnFIX\junkxxx\hlplnj.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

File "C:\FINDnFIX\junkxxx\wdmndll.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

C:\FINDnFIX\junkxxx\hlplnj.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlplnj.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlplnj.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Users:RrRaRepX[I]
C:\FINDnFIX\junkxxx\wdmndll.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmndll.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmndll.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Users:RrRaRepX[I]


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' , USERProcessHandleQuota, h X
000012D0: vk f AppInit_DLLs G
00001310: $ p
00001350: 0 |
00001390: T
000013D0: ` 8 l
00001410: `
00001450: 8 l
00001490: D d
000014D0: P p
00001510: ( H
00001550:4

---------- NEWWIN.TXT
f¨AppInit_DLLsÍ?ŠG
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota
$012F0: AppInit_DLLs
--------------
--------------
No strings found.


d.... 0 Jul 18 16:27 .
d.... 0 Jul 18 16:27 ..
....a 57344 Jun 28 12:07 hlplnj.222
....a 57344 Jun 25 14:28 wdmndll.222

4 files found occupying 111616 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
HLPLNJ.222 : crc16=3138 crc32=D5C9FB2E
WDMNDLL.222 : crc16=3138 crc32=D5C9FB2E

-------- C:\FINDNFIX\JUNKXXX\HLPLNJ.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2-------- C:\FINDNFIX\JUNKXXX\WDMNDLL.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
114,688 bytes 955,733 cps
Files: 2 Records: 26,278 Matches: 6 Elapsed Time: 00:00:00.12

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-18-:4 16:27|HLPLNJ 222 57344 A 06-28-:4 12:07
.. <dir> 07-18-:4 16:27|WDMNDLL 222 57344 A 06-25-:4 14:28
---------------------------------------+---------------------------------------
4 files totaling 114688 bytes consuming 130048 bytes of disk space.
17299968 bytes available on Drive C: No volume label

╗╗╗╗╗╗╗╗*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***╗╗╗╗╗╗╗

Sun 25 Jul 04 22:37:32
10:37pm up 0 days, 0:14

Microsoft Windows XP [Version 5.1.2600]
╗╗╗IE build and last SP(s)
6.0.2800.1106 SP1-Q828750-Q824145-Q832894-Q837009-Q831167-Q823353
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG2!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

This log will confirm if the file was successfully moved, and/or the right file was selected.

Scanning for file(s) in System32...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

8 items found: 8 files (8 H/S), 0 directories.
Total of file sizes: 2,534,208 bytes 2.41 M
Unknown/hidden files...

C:\WINDOWS\SYSTEM32\
6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

8 items found: 8 files, 0 directories.
Total of file sizes: 2,534,208 bytes 2.41 M

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\6DO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6JO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6VO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\6XO4SVC.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ABAAMON.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ALLEDIT.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\AQSC32.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\ARCTRES.DLL

╗╗╗╗╗(5)╗╗╗╗╗
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

╗╗╗╗╗(*6*)╗╗╗╗╗

╗╗╗╗╗╗╗ Search by size...


No matches found.

No matches found.

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

* result\\?\C:\FINDnFIX\junkxxx\HLPLNJ.222
* result\\?\C:\FINDnFIX\junkxxx\WDMNDLL.222


C:\FINDNFIX\JUNKXXX\
hlplnj.222 Mon Jun 28 2004 12:07:38p A.... 57,344 56.00 K
wdmndll.222 Fri Jun 25 2004 2:28:04p A.... 57,344 56.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 114,688 bytes 112.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\HLPLNJ.222
Sniffed -> C:\FINDNFIX\JUNKXXX\WDMNDLL.222

**File C:\FINDNFIX\JUNKXXX\HLPLNJ.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.
**File C:\FINDNFIX\JUNKXXX\WDMNDLL.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.

A----- HLPLNJ .222 0000E000 12:07.38 28/06/2004
A----- WDMNDLL .222 0000E000 14:28.04 25/06/2004

c:\findnfix\junkxxx\hlplnj.222
--a-- W32i - - - - 57,344 06-28-2004 hlplnj.222
c:\findnfix\junkxxx\wdmndll.222
--a-- W32i - - - - 57,344 06-25-2004 wdmndll.222
A C:\FINDnFIX\junkxxx\hlplnj.222
A C:\FINDnFIX\junkxxx\wdmndll.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

File name Size Date Time MD5 Hash
________________________________________________________________________
HLPLNJ.222 57344 06-28-104 12:07 c185b36f9969d3a6d2122ba7cbc02249
WDMNDLL.222 57344 06-25-104 14:28 c185b36f9969d3a6d2122ba7cbc02249
File: <C:\FINDnFIX\junkxxx\hlplnj.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249



File: <C:\FINDnFIX\junkxxx\wdmndll.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




╗╗Permissions:
C:\FINDnFIX\junkxxx\hlplnj.222 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
YOUR-6KR4ZXLD90\User:F
BUILTIN\Users:R

C:\FINDnFIX\junkxxx\wdmndll.222 Everyone:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
YOUR-6KR4ZXLD90\User:F
BUILTIN\Users:R

Directory "C:\FINDnFIX\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

Directory "C:\FINDnFIX\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

File "C:\FINDnFIX\junkxxx\hlplnj.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

File "C:\FINDnFIX\junkxxx\wdmndll.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x YOUR-6KR4ZXLD90\User
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users

Owner: YOUR-6KR4ZXLD90\User

Primary Group: YOUR-6KR4ZXLD90\None

C:\FINDnFIX\junkxxx\hlplnj.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlplnj.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlplnj.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\hlplnj.222;BUILTIN\Users:RrRaRepX[I]
C:\FINDnFIX\junkxxx\wdmndll.222;Everyone:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Administrators:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmndll.222;NT AUTHORITY\SYSTEM:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmndll.222;YOUR-6KR4ZXLD90\User:RrRaRepWwAWaWePXDDcO[I]
C:\FINDnFIX\junkxxx\wdmndll.222;BUILTIN\Users:RrRaRepX[I]


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



00001150: vk UDeviceNotSelecte
00001190:dTimeout 1 5 P h vk ' zGDIProce
000011D0:ssHandleQuota" 9 0 vk Spooler2
00001210: y e s _ vk 5swapdisk h
00001250: X vk . TransmissionRetryTimeout vk
00001290: ' , USERProcessHandleQuota, h X
000012D0: vk f AppInit_DLLs G
00001310: $ p
00001350: 0 |
00001390: T
000013D0: ` 8 l
00001410: `
00001450: 8 l
00001490: D d
000014D0: P p
00001510: ( H
00001550:4

---------- NEWWIN.TXT
f¨AppInit_DLLsÍ?ŠG
--------------
--------------
$0117F: UDeviceNotSelectedTimeout
$011C7: zGDIProcessHandleQuota
$01270: TransmissionRetryTimeout
$012A0: USERProcessHandleQuota
$012F0: AppInit_DLLs
--------------
--------------
No strings found.


d.... 0 Jul 18 16:27 .
d.... 0 Jul 18 16:27 ..
....a 57344 Jun 28 12:07 hlplnj.222
....a 57344 Jun 25 14:28 wdmndll.222

4 files found occupying 111616 bytes

CRC-Cyclic Redundancy Checker, Version 1.20, 08-Feb-92, rtk

C:\FINDNFIX\JUNKXXX
HLPLNJ.222 : crc16=3138 crc32=D5C9FB2E
WDMNDLL.222 : crc16=3138 crc32=D5C9FB2E

-------- C:\FINDNFIX\JUNKXXX\HLPLNJ.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2-------- C:\FINDNFIX\JUNKXXX\WDMNDLL.222
InstallStreamingDeviceStreamingDeviceSetupStreamingDeviceSetup2
===============================================================================
114,688 bytes 955,733 cps
Files: 2 Records: 26,278 Matches: 6 Elapsed Time: 00:00:00.12

VDIR v1.00
Path: C:\FINDNFIX\JUNKXXX\*.*
---------------------------------------+---------------------------------------
. <dir> 07-18-:4 16:27|HLPLNJ 222 57344 A 06-28-:4 12:07
.. <dir> 07-18-:4 16:27|WDMNDLL 222 57344 A 06-25-:4 14:28
---------------------------------------+---------------------------------------
4 files totaling 114688 bytes consuming 130048 bytes of disk space.
17299968 bytes available on Drive C: No volume label


#16 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 25 July 2004 - 11:01 PM

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

#17 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 26 July 2004 - 11:57 AM

Help Please!!!!!

#18 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 July 2004 - 01:46 PM

Hey... :scratchhead:
No need to bump!

I was checking on your topic and there was no reply , so far.

Well done!
All your files have been identified!
I'm a bit confused what happened to the first file you removed with Daemon (hlp.dll)
As it's no longer included!

Anyway, to wrap up the cws episode-- follow these steps:

Last step(s):

-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will take just a second, quickly clean the rest and
will create a zipped copy of the bad file(s) in the same
folder (named as-- junkxxx.zip) and open your email
client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

-When done, restart your computer and
Delete the entire 'FINDnFIX' folder(s)
From C:\

*Next, delete ALL your previous VX2finder(s).exe
It was updated again.
Download this version from here:
http://downloads.sub...Finder(126).exe

Scan, post the results along with new hijackthis log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#19 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 26 July 2004 - 02:13 PM

Freeatlast,
sorry for the bump, I didn't mean to be rude.
I ran ZIPZAP.bat and dragged the junkxxx.zip into the email. It is requesting a link to this forum be included in the email. Can you tell me how to do this?
Thanks for your help.

#20 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 July 2004 - 02:21 PM

Don't worry about the link. Just submit
I'll know where it came from ;)

When done, proceed with the rest of the steps...
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#21 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 26 July 2004 - 02:41 PM

Freeatlast,
vx2.log
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

#22 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 26 July 2004 - 02:43 PM

highjackthis log

Logfile of HijackThis v1.97.7
Scan saved at 2:41:52 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\WIN2000\guru.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\SD2ZWTQ7\VX2Finder(126)[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\unzipped\hijackthis1977[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.r5.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [W0lxD.exe] c:\documents and settings\user\local settings\temp\W0lxD.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\User\Application Data\rncr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msdbrptr949i.exe] C:\WINDOWS\System32\msdbrptr949i.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7584.8022916667
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#23 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 July 2004 - 03:05 PM

I'm not sure about the reason, but VX2finder doesn't seem
to work properly. :scratchhead:
I do know some of the files are different...

Here is the list:

C:\WINDOWS\SYSTEM32\

6do4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6jo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6vo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
6xo4svc.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
abaamon.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
alledit.dll Thu Jul 1 2004 11:48:24a ..SHR 316,776 309.35 K
aqsc32.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K
arctres.dll Thu Jul 1 2004 11:48:24a A.SHR 316,776 309.35 K

All these files have hidden and system attributes.
You have to make sure all hidden/protected files are visible.
Find these according to specs (exact file name/size! 316,776 bytes)
In system32, and try to delete one at a time.
*Be sure to identify the right files!

*If any can't be deleted, post back the exact file name!
Run VX2finder and click the "userAgent" and 'Restore policy' tabs.
It will ask you to restart.

You still have malware left on your hijackthis log!
Start by fixing these:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [W0lxD.exe] c:\documents and settings\user\local settings\temp\W0lxD.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\User\Application Data\rncr.exe
O4 - HKCU\..\Run: [msdbrptr949i.exe] C:\WINDOWS\System32\msdbrptr949i.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m**< optional but cr@py reputation!
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab

Reboot and post fresh hijackthis log and new VX2finder scan results.
Click only once, as it looks like you clicked several times!

***Edit:
Daemon gave you earlier directions to Ad-Aware.
After performing the steps above, install Ad-Aware VX2plugin from here:
http://www.lavasoftu...x2cleaner.shtml
Run full system scan and allow it to fix all it finds.

Edited by freeatlast, 26 July 2004 - 03:18 PM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#24 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 26 July 2004 - 04:44 PM

Freeatlast,
New Logs

Logfile of HijackThis v1.97.7
Scan saved at 4:39:34 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
C:\WIN2000\guru.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis1977[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.r5.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\STOMPS~1\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\STOMPS~1\SPYWAR~1\CookiePatrol.exe
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\FRU\Remind32.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open Image in New Window - res://C:\Program Files\PopUpCop\popupcop.dll/imagenew
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsu...oad/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7584.8022916667
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.../20/SassCln.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}

#25 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 July 2004 - 06:13 PM

Much better! :D
After consulting with my good bud O^E, it turns
out that the VX2 files are probably left over of older version!

Were you able to find and delete all?

Fix checked in hijackthis:

O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

Run VX2finder, select the "UserAgent$" tab and have it
remove the string!
Be sure this line doesn't show up again!

User Agent String---
{E88A5234-D39E-49C6-AEAF-08E16C1A052D}


From your previously fixed load, find and delete:
C:\Documents and Settings\User\
Application Data\rncr.exe< file

WINDOWS\System32\msdbrptr949i.exe< file.

Empty your temp folder from start/run/type:
%temp%
Clear entire contents of temp folder

Run all the recommended tools advised by Deamon again,
and you should be
all set! :D
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#26 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 26 July 2004 - 10:47 PM

Freeatlast,
I think I was able to remove all of the VX2 files, but I could not remove all of the files in the temp folder.

#27 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 27 July 2004 - 09:33 AM

Freeatlast,
I also have 2 things in my list of programs that I can't remove.
Zerospyware lite and Kazaa media desktop. Can you tell me how to remove these?

#28 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 11:20 AM

The items in 'temp' that resist removal can be safely ignored, as they are used by Windows.

As for the other programs, check the corresponding entries in Windows control panel/Add/remove programs and try to uninstall them. :scratchhead:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#29 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 27 July 2004 - 11:49 AM

Thanks, I have tried both many times and it will not allow me to remove. Kazaa says error loading C:\windows\system32\cd-clint.dll and Zerospyware lite says an error (5004:0x80029c4a) has occurred while running setup but I'm trying to delete not install.

#30 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 02:58 PM

Thanks, I have tried both many times and it will not allow me to remove. Kazaa says error loading C:\windows\system32\cd-clint.dll and Zerospyware lite says an error (5004:0x80029c4a) has occurred while running setup but I'm trying to delete not install.

Use this utility:
http://freehost14.we...s/myuninst.html
Run, find both programs and look at their properties.
Location, uninstall command etc.
You can try to uninstall directly from there, but it will most likely fail.
If so, use the tool to remove the items from the list, after you
were able to locate their install location, if exists.
(e,g, C:\Program Files\Zerospyware lite ).
When done, find and manually delete the remains. (In program files)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#31 rp535

rp535

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 27 July 2004 - 03:19 PM

Hey Freeatlast, Thank you so much for your help. I really appreciate it. This is the first time in months I have been able to use my computer without problems. Thanks again

#32 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 July 2004 - 05:16 PM

:p

:wave:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#33 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 28 July 2004 - 01:13 AM

Thanks FAL - quality work as always :cool:



To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button