1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Please render advice on my hijackthis file which follows - help - save me!!!

Discussion in 'Virus & Other Malware Removal' started by OxfordBarney, Dec 15, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Logfile of HijackThis v1.98.2
    Scan saved at 20:43:29, on 15/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
    C:\Program Files\STA Kit ADSL\CnxDslTb.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\HJK\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [dwoxpgbvlupgb] C:\WINDOWS\system32\afdznlz.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
    O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
    O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\STA Kit ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvisp32.exe
    O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Windows Monitor] winmon.exe
    O4 - HKCU\..\RunServices: [Windows Monitor] winmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm119YYAD
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102964029897
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7348705-706E-4F5E-AB0D-452099D050EF}: NameServer = 194.158.64.9 194.158.64.10

    Thanks for your urgent and valued advice.

    OxfordBarney
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Hi and welcome. Unfortunately it looks like you have a very difficult problem and the pros are still working on the 'perfect' fix.

    You'll have to be a bit patient for a response here.
     
  3. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Thanks for that - I'll wait - it sure is a stubborn virus - keeps coming back - adaware doesn't work, even with the vx2 plugin.
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Yes, I know. If you browse around the security posts, you'll see some very difficult problems :( The scumbags that do this should be shot! :mad:
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,867
    Hi and welcome TSG,

    Click here: http://forums.techguy.org/attachment.php?attachmentid=44854 to download Findit.zip.

    Unzip it and double-click on Find.bat to run it. It should run for a few seconds, then open Output.txt file. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

    Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

    http://www.downloads.subratam.org/VX2Finder.exe

    After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry needed to remove will change as well as some of the file names will change and we will have to start all over.
     
  6. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Dear Cookie,

    Here's the log of vx2finder.exe.

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---
    {C3DE1BF8-A8D2-4E6A-8AC1-4E745DFDE1DF}

    Here's the output.txt file you requested ----------. Many thanks.

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    ------- System Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    16/12/2004 07:55 225,410 woashext.dll
    16/12/2004 07:55 223,085 o4nsle571h.dll
    15/12/2004 20:10 225,410 gp80l3lm1.dll
    15/12/2004 00:16 223,506 j84olih3184.dll
    14/12/2004 23:40 <DIR> dllcache
    14/12/2004 23:04 222,757 n28o0cl3efq.dll
    14/12/2004 22:34 222,998 pogfilt.dll
    14/12/2004 22:10 14,336 Thumbs.db
    14/12/2004 22:05 222,757 numsapi.dll
    14/12/2004 20:11 222,757 djkquota.dll
    14/12/2004 19:42 222,757 coprops.dll
    14/12/2004 19:18 225,981 Ove2conv.dll
    14/12/2004 11:29 225,981 kpdintam.dll
    14/12/2004 11:29 225,992 dnj0011me.dll
    14/12/2004 08:42 223,960 kydnec.dll
    28/06/2003 18:52 <DIR> Microsoft
    29/08/2002 21:00 78,848 mssupdate.exe
    15 File(s) 3,006,535 bytes
    2 Dir(s) 16,037,134,336 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    14/12/2004 23:40 <DIR> dllcache
    14/12/2004 22:10 14,336 Thumbs.db
    14/12/2004 21:17 488 WindowsLogon.manifest
    14/12/2004 21:17 488 logonui.exe.manifest
    14/12/2004 21:16 749 cdplayer.exe.manifest
    14/12/2004 21:16 749 nwc.cpl.manifest
    14/12/2004 21:16 749 sapi.cpl.manifest
    14/12/2004 21:16 749 wuaucpl.cpl.manifest
    14/12/2004 21:16 749 ncpa.cpl.manifest
    29/08/2002 21:00 78,848 mssupdate.exe
    9 File(s) 97,905 bytes
    1 Dir(s) 16,037,130,240 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    29/08/2002 03:00 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 16,037,126,144 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{C3DE1BF8-A8D2-4E6A-8AC1-4E745DFDE1DF}"=""


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\gp80l3lm1.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ---------------- Xfind Results -----------------

    C:\WINDOWS\System32\GP80L3~1.DLL +++ File read error

    -------------- Locate.com Results ---------------


    C:\WINDOWS\SYSTEM32\
    cdplay~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    coprops.dll Tue 14 Dec 2004 19:42:24 ..S.R 222,757 217.54 K
    djkquota.dll Tue 14 Dec 2004 20:11:34 ..S.R 222,757 217.54 K
    dnj001~1.dll Tue 14 Dec 2004 11:29:30 ..S.R 225,992 220.70 K
    gp80l3~1.dll Wed 15 Dec 2004 20:10:22 ..S.R 225,410 220.13 K
    j84oli~1.dll Wed 15 Dec 2004 0:16:44 ..S.R 223,506 218.27 K
    kpdintam.dll Tue 14 Dec 2004 11:29:30 ..S.R 225,981 220.68 K
    kydnec.dll Tue 14 Dec 2004 8:42:18 ..S.R 223,960 218.71 K
    logonu~1.man Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    n28o0c~1.dll Tue 14 Dec 2004 23:04:20 ..S.R 222,757 217.54 K
    ncpacp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    numsapi.dll Tue 14 Dec 2004 22:05:24 ..S.R 222,757 217.54 K
    nwccpl~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    o4nsle~1.dll Thu 16 Dec 2004 7:55:34 ..S.R 223,085 217.86 K
    ove2conv.dll Tue 14 Dec 2004 19:18:20 ..S.R 225,981 220.68 K
    pogfilt.dll Tue 14 Dec 2004 22:34:10 ..S.R 222,998 217.77 K
    sapicp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    thumbs.db Tue 14 Dec 2004 22:10:50 A.SH. 14,336 14.00 K
    window~1.ma~ Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    woashext.dll Thu 16 Dec 2004 7:55:34 ..S.R 225,410 220.13 K
    wuaucp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K

    21 items found: 21 files, 0 directories.
    Total of file sizes: 2,932,408 bytes 2.79 M
    
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,867
    Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip the file to your desktop.

    Click here: http://www.downloads.subratam.org/KillBox.zip to download Pocket KillBox.

    Unzip the files to the folder of your choice.

    Also I am attaching a fix.zip file to this post. Download fix.zip to your desktop and unzip it.

    IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

    Double click on the fix.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

    Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

    Next in the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Put a tick by Standard File Kill and put a check by End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\SYSTEM32\coprops.dll
    C:\WINDOWS\SYSTEM32\djkquota.dll
    C:\WINDOWS\SYSTEM32\dnj001~1.dll
    C:\WINDOWS\SYSTEM32\gp80l3~1.dll
    C:\WINDOWS\SYSTEM32\j84oli~1.dll
    C:\WINDOWS\SYSTEM32\kpdintam.dll
    C:\WINDOWS\SYSTEM32\kydnec.dll
    C:\WINDOWS\SYSTEM32\n28o0c~1.dll
    C:\WINDOWS\SYSTEM32\numsapi.dll
    C:\WINDOWS\SYSTEM32\o4nsle~1.dll
    C:\WINDOWS\SYSTEM32\ove2conv.dll
    C:\WINDOWS\SYSTEM32\pogfilt.dll
    C:\WINDOWS\SYSTEM32\woashext.dll


    Note: If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

    Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

    Next run VX2Finder and click the "Restore Policy" button.

    Now restart your computer.

    Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

    Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
     
  8. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Many thanks again. I made a mistake, and I hope that it doesn't require us to start again. I overlooked the fix.reg instruction on first pass, and so I went through your full instructions a second time. I am also a little confused on your warning about restarting. I will try to leave the computer on until I hear from you again. Here are the latest output.txt and hijackthis log files:

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    ------- System Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    17/12/2004 13:34 225,522 camaddin.dll
    17/12/2004 13:34 222,955 p4r4le9q1h.dll
    17/12/2004 11:38 225,522 fp4s03h7e.dll
    17/12/2004 11:31 225,201 oybcjt32.dll
    17/12/2004 10:51 224,779 mpir3jp.dll
    17/12/2004 08:03 223,085 h40qled51h0.dll
    14/12/2004 23:40 <DIR> dllcache
    14/12/2004 22:10 14,336 Thumbs.db
    28/06/2003 18:52 <DIR> Microsoft
    29/08/2002 21:00 78,848 mssupdate.exe
    8 File(s) 1,440,248 bytes
    2 Dir(s) 16,134,684,672 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    14/12/2004 23:40 <DIR> dllcache
    14/12/2004 22:10 14,336 Thumbs.db
    14/12/2004 21:17 488 WindowsLogon.manifest
    14/12/2004 21:17 488 logonui.exe.manifest
    14/12/2004 21:16 749 cdplayer.exe.manifest
    14/12/2004 21:16 749 nwc.cpl.manifest
    14/12/2004 21:16 749 sapi.cpl.manifest
    14/12/2004 21:16 749 wuaucpl.cpl.manifest
    14/12/2004 21:16 749 ncpa.cpl.manifest
    29/08/2002 21:00 78,848 mssupdate.exe
    9 File(s) 97,905 bytes
    1 Dir(s) 16,134,680,576 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    29/08/2002 03:00 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 16,134,676,480 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{C3DE1BF8-A8D2-4E6A-8AC1-4E745DFDE1DF}"=""


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\fp4s03h7e.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ---------------- Xfind Results -----------------

    C:\WINDOWS\System32\CAMADDIN.DLL +++ File read error

    -------------- Locate.com Results ---------------


    C:\WINDOWS\SYSTEM32\
    camaddin.dll Fri 17 Dec 2004 13:34:58 ..S.R 225,522 220.23 K
    cdplay~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    fp4s03~1.dll Fri 17 Dec 2004 11:38:20 ..S.R 225,522 220.23 K
    h40qle~1.dll Fri 17 Dec 2004 8:03:32 ..S.R 223,085 217.86 K
    logonu~1.man Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    mpir3jp.dll Fri 17 Dec 2004 10:51:48 ..S.R 224,779 219.51 K
    ncpacp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    nwccpl~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    oybcjt32.dll Fri 17 Dec 2004 11:31:50 ..S.R 225,201 219.92 K
    p4r4le~1.dll Fri 17 Dec 2004 13:34:58 ..S.R 222,955 217.73 K
    sapicp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    thumbs.db Tue 14 Dec 2004 22:10:50 A.SH. 14,336 14.00 K
    window~1.ma~ Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    wuaucp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K

    14 items found: 14 files, 0 directories.
    Total of file sizes: 1,366,121 bytes 1.30 M
    

    Logfile of HijackThis v1.98.2
    Scan saved at 13:48:37, on 17/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
    C:\Program Files\STA Kit ADSL\CnxDslTb.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HJK\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [dwoxpgbvlupgb] C:\WINDOWS\system32\afdznlz.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
    O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
    O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\STA Kit ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvisp32.exe
    O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Windows Monitor] winmon.exe
    O4 - HKCU\..\RunServices: [Windows Monitor] winmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm119YYAD
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: v3cab - http://searchmiracle.com/cab/1.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102964029897
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7348705-706E-4F5E-AB0D-452099D050EF}: NameServer = 194.158.64.9 194.158.64.10
     
  9. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Dear Cookiegal,
    Although I have executed the programs as you requested, upon looking back I am concerned that I may have re-started my computer when I shouldn't have. We have a guest here who needs to borrow the modem to access their own emails, and this has made things awkward. I very greatly appreciate your help. Would it be possible to be online at TechSupportGuy Forums together at the same time sometime today so that I may more diligently follow your instructions in a more continuous manner? Also, we are going to drive to Spain with our guest for 10 days, leaving tomorrow, and although I am taking my laptop with me, I will not have continuous access to the internet during that time. I am online now, and will continue to monitor whether you are online or not through the day. I simply feel that your time is valuable, and I don't want to make mistakes which will cost you unnecessary time.
    Kind regards,
    OxfordBarney
     
  10. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Here's my VX2Finder log, output.txt file, and hijackthis log. Please help - I'm away from tomorrow until 30 December. Files below:

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---
    {C3DE1BF8-A8D2-4E6A-8AC1-4E745DFDE1DF}


    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    ------- System Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    17/12/2004 13:34 225,522 camaddin.dll
    17/12/2004 13:34 222,955 p4r4le9q1h.dll
    17/12/2004 11:38 225,522 fp4s03h7e.dll
    17/12/2004 11:31 225,201 oybcjt32.dll
    17/12/2004 10:51 224,779 mpir3jp.dll
    17/12/2004 08:03 223,085 h40qled51h0.dll
    14/12/2004 23:40 <DIR> dllcache
    14/12/2004 22:10 14,336 Thumbs.db
    28/06/2003 18:52 <DIR> Microsoft
    29/08/2002 21:00 78,848 mssupdate.exe
    8 File(s) 1,440,248 bytes
    2 Dir(s) 16,010,653,696 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    14/12/2004 23:40 <DIR> dllcache
    14/12/2004 22:10 14,336 Thumbs.db
    14/12/2004 21:17 488 WindowsLogon.manifest
    14/12/2004 21:17 488 logonui.exe.manifest
    14/12/2004 21:16 749 cdplayer.exe.manifest
    14/12/2004 21:16 749 nwc.cpl.manifest
    14/12/2004 21:16 749 sapi.cpl.manifest
    14/12/2004 21:16 749 wuaucpl.cpl.manifest
    14/12/2004 21:16 749 ncpa.cpl.manifest
    29/08/2002 21:00 78,848 mssupdate.exe
    9 File(s) 97,905 bytes
    1 Dir(s) 16,010,649,600 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    29/08/2002 03:00 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 16,010,645,504 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "{C3DE1BF8-A8D2-4E6A-8AC1-4E745DFDE1DF}"=""


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINDOWS\\system32\\fp4s03h7e.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ---------------- Xfind Results -----------------

    C:\WINDOWS\System32\CAMADDIN.DLL +++ File read error

    -------------- Locate.com Results ---------------


    C:\WINDOWS\SYSTEM32\
    camaddin.dll Fri 17 Dec 2004 13:34:58 ..S.R 225,522 220.23 K
    cdplay~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    fp4s03~1.dll Fri 17 Dec 2004 11:38:20 ..S.R 225,522 220.23 K
    h40qle~1.dll Fri 17 Dec 2004 8:03:32 ..S.R 223,085 217.86 K
    logonu~1.man Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    mpir3jp.dll Fri 17 Dec 2004 10:51:48 ..S.R 224,779 219.51 K
    ncpacp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    nwccpl~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    oybcjt32.dll Fri 17 Dec 2004 11:31:50 ..S.R 225,201 219.92 K
    p4r4le~1.dll Fri 17 Dec 2004 13:34:58 ..S.R 222,955 217.73 K
    sapicp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    thumbs.db Tue 14 Dec 2004 22:10:50 A.SH. 14,336 14.00 K
    window~1.ma~ Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    wuaucp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K

    14 items found: 14 files, 0 directories.
    Total of file sizes: 1,366,121 bytes 1.30 M
    
    Logfile of HijackThis v1.98.2
    Scan saved at 18:43:36, on 17/12/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
    C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
    C:\Program Files\STA Kit ADSL\CnxDslTb.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HJK\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [dwoxpgbvlupgb] C:\WINDOWS\system32\afdznlz.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
    O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
    O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\STA Kit ADSL\CnxDslTb.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvisp32.exe
    O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKCU\..\Run: [ixplore] "C:\Program Files\Internet Explorer\ixplore.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Windows Monitor] winmon.exe
    O4 - HKCU\..\RunServices: [Windows Monitor] winmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm119YYAD
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102964029897
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7348705-706E-4F5E-AB0D-452099D050EF}: NameServer = 194.158.64.9 194.158.64.10
     
  11. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Also, my hosts file keeps being updated, and my changes overwritten, within seconds of my making them. I believe it may be new variant vx2 - AdAware SE can't get rid of it - SpyBot S&D the same - no success.
    This is a doozy.
    OxfordBarney
     
  12. jvic

    jvic

    Joined:
    Apr 17, 2004
    Messages:
    359
    First Name:
    John
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I got your PM.

    I know you have already posted the info, but I need to make sure nothing has changed, plus I want you to run DLL Compare. The only thing you need to download is dllcompare. Please do the following

    I need a fresh log from Findit.bat.

    Also Click here to download DLLCompare.exe.

    Save it to your desktop.

    Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished,you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

    It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
    In a few minutes it will complete then you will see in blue Completed.
    Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

    After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
     
  14. OxfordBarney

    OxfordBarney Thread Starter

    Joined:
    Dec 14, 2004
    Messages:
    156
    Dear flrman1,

    Many thanks for coming back. Much will have changed from my last logs as I have been working vigorously to kill these critters through the night. I have succeeded against all of them but the very stubborn DSO Exploit with the five registry settings which shows up on the SpyBot S&D scan. I have done the dllcompare and killboxed the five or six dll files that showed. Nothing shows on AdAware any more (except the odd tracking cookie). I got rid of the BargainBuddy ISEXEng (I think) by disabling the service and deleting the items within the registry key ISEXEng (although I couldn't seem to give myself permissions to delete the key). Perhaps the DSO Exploit coming back is proving me wrong that I killed BargainBuddy - I'm not sure.

    I hope you are there as it is 1:15 am here, and we are going to Spain tomorrow for eleven days. If not, I will respond to your post when I return in eleven days, so please don't mind the long delay. But I hope to hear from you shortly.

    Here is the new dllcompare log and the updated output.txt file:

    * DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    O^E says: "There were no files found :)"
    ________________________________________________

    1,386 items found: 1,386 files, 0 directories.
    Total of file sizes: 271,597,243 bytes 259.01 M

    Administrator Account = True

    --------------------End log---------------------


    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    ------- System Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    17/12/2004 23:10 14,336 Thumbs.db
    14/12/2004 23:40 <DIR> dllcache
    28/06/2003 18:52 <DIR> Microsoft
    29/08/2002 21:00 78,848 mssupdate.exe
    2 File(s) 93,184 bytes
    2 Dir(s) 16,248,053,760 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    17/12/2004 23:10 14,336 Thumbs.db
    14/12/2004 23:40 <DIR> dllcache
    14/12/2004 21:17 488 WindowsLogon.manifest
    14/12/2004 21:17 488 logonui.exe.manifest
    14/12/2004 21:16 749 cdplayer.exe.manifest
    14/12/2004 21:16 749 nwc.cpl.manifest
    14/12/2004 21:16 749 sapi.cpl.manifest
    14/12/2004 21:16 749 wuaucpl.cpl.manifest
    14/12/2004 21:16 749 ncpa.cpl.manifest
    29/08/2002 21:00 78,848 mssupdate.exe
    9 File(s) 97,905 bytes
    1 Dir(s) 16,248,053,760 bytes free

    ---------- Files Named "Guard" -------------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32


    --------- Temp Files in System32 Directory --------

    Volume in drive C has no label.
    Volume Serial Number is 0000-6753

    Directory of C:\WINDOWS\System32

    29/08/2002 03:00 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 16,248,049,664 bytes free

    ---------------- User Agent ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


    ------------ Keys Under Notify ------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ---------------- Xfind Results -----------------


    -------------- Locate.com Results ---------------


    C:\WINDOWS\SYSTEM32\
    cdplay~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    logonu~1.man Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    ncpacp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    nwccpl~1.ma~ Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    sapicp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K
    thumbs.db Fri 17 Dec 2004 23:10:48 A.SH. 14,336 14.00 K
    window~1.ma~ Tue 14 Dec 2004 21:17:02 A..HR 488 0.48 K
    wuaucp~1.man Tue 14 Dec 2004 21:16:50 A..HR 749 0.73 K

    8 items found: 8 files, 0 directories.
    Total of file sizes: 19,057 bytes 18.61 K
    
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,867
    When you reboot a new set of files is created, that's why it's important not to.

    I am attaching a fix2.zip file to this post. Download fix2.zip to your desktop and unzip it.

    IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

    Double click on the fix2.reg file to enter into the registry. Answer yes when asked to have it's contents added to the registry.

    Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

    Next in the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Put a tick by Standard File Kill and put a check by End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\SYSTEM32\camaddin.dll
    C:\WINDOWS\SYSTEM32\fp4s03~1.dll
    C:\WINDOWS\SYSTEM32\h40qle~1.dll
    C:\WINDOWS\SYSTEM32\mpir3jp.dll
    C:\WINDOWS\SYSTEM32\oybcjt32.dll
    C:\WINDOWS\SYSTEM32\p4r4le~1.dll


    Note: If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

    Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

    Next run VX2Finder and click the "Restore Policy" button.

    Now restart your computer.

    Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

    Again I remind you, it is very important that you do not restart your computer again until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
    ___________
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/308805

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice