need help with removing home search assistant [Archive]

View Full Version : need help with removing home search assistant

hockey05

17 Dec 2004, 11:24pm

ok ive gotten rid of this before and the damn thing just came back
ive been trying to get rid of it but i dont know which entries to delete in hijackthis

new log below

please help me
thank you

SpywareShooter

17 Dec 2004, 11:56pm

Please upgrade to HijackThis version 1.99.0 and post a new log.

hockey05

18 Dec 2004, 12:06am

sry i didnt know there was a new one

Logfile of HijackThis v1.99.0
Scan saved at 4:53:19 PM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\apizw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msmb.exe
C:\WINDOWS\System32\MgzxCD.exe
C:\WINDOWS\System32\Ere6A.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\3dsmax7\3dsmax.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\AdskCleanup.0001
C:\DOCUME~1\Nick\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\AIM\aim.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.453\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {C68539AC-6CD1-A082-BEB2-8A3A1C72F103} - C:\WINDOWS\system32\mskb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\Jvy1Wb1a.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd01329.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/Bridge-c139.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

SpywareShooter

18 Dec 2004, 1:36am

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,
O2 - BHO: (no name) - {C68539AC-6CD1-A082-BEB2-8A3A1C72F103} - C:\WINDOWS\system32\mskb.dll
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd01329.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...Bridge-c139.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

Fix those entries then find and delete the files listed above, reboot and post a new log.

hockey05

18 Dec 2004, 5:24am

ok thanks for your help so far

Logfile of HijackThis v1.99.0
Scan saved at 10:11:16 PM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msmb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\apizw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\MgzxCD.exe
C:\WINDOWS\System32\Mml180.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.953\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {714795AE-B851-C38C-644A-A0910EFC29CE} - C:\WINDOWS\system32\apirf32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\HotEkc.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

SpywareShooter

18 Dec 2004, 3:58pm

O2 - BHO: (no name) - {714795AE-B851-C38C-644A-A0910EFC29CE} - C:\WINDOWS\system32\apirf32.dll
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

Fix those entries then find and delete the following files:
C:\WINDOWS\system32\apirf32.dll
C:\windows\system32\kalvghj32.exe
C:\WINDOWS\apizw32.exe
C:\WINDOWS\system32\msmb.exe

Then pull the plug and post a new log.

hockey05

18 Dec 2004, 4:47pm

new log:

Logfile of HijackThis v1.99.0
Scan saved at 9:34:10 AM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\Mxgo.exe
C:\WINDOWS\System32\Ere6A.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.968\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\Bsbj0i6.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

SpywareShooter

19 Dec 2004, 2:48am

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693

Fix those entries then find and deltee xroga.dll, pull the plug and post a new log.

hockey05

19 Dec 2004, 3:14am

Logfile of HijackThis v1.99.0
Scan saved at 7:59:40 PM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\Dsu6.exe
C:\WINDOWS\System32\MgzxCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.407\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\Bsbj0i6.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

19 Dec 2004, 3:25am

You've still got several issues here. Let's take them one at a time.

Download Newuninst.exe
http://downloads.subratam.org/Newuninst.exe

Double click on 'Newuninst.exe' and press *Uninstall*. Let it run and when the progress bar says *complete* you can then press *close*. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall requests access. It will just run and then close.

Reboot and post a new hijackthis log.

hockey05

19 Dec 2004, 4:56pm

ok i downloaded that program and ran it then rebooted
new log:

Logfile of HijackThis v1.99.0
Scan saved at 9:42:43 AM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\exdl1.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

19 Dec 2004, 5:03pm

Good job! The Peper trojan is gone.

Next step...

Download LSPFix from http://www.cexx.org/LSPFix.exe and run it.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of the following files.

xfire_lsp_10650.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.

Please post a new hijackthis log.

hockey05

19 Dec 2004, 6:28pm

xfire_lsp_10650.dll that file is in the remove box
mswsock.dll, winrnr.dll,rsvpsp.dll is all thats in the "keep" box

so im sorta confused

Buckeye_Sam

19 Dec 2004, 6:49pm

That's perfect. Just click Finish.

hockey05

19 Dec 2004, 8:29pm

i didnt reboot

Logfile of HijackThis v1.99.0
Scan saved at 1:16:21 PM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\rpfvvj.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\jaxktmm.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.641\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {8821A22F-27B6-4389-AD61-5E8ADB84844B} - C:\WINDOWS\System32\ccpd.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [C:\WINDOWS\rpfvvj.exe] C:\WINDOWS\rpfvvj.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [i5MGtZ] C:\WINDOWS\jaxktmm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O18 - Filter: text/html - {58FF3115-41D6-4283-865F-FEBA7A8CDED5} - C:\WINDOWS\System32\ccpd.dll
O18 - Filter: text/plain - {58FF3115-41D6-4283-865F-FEBA7A8CDED5} - C:\WINDOWS\System32\ccpd.dll
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

hockey05

19 Dec 2004, 8:30pm

o yeah im getting pop-ups like crazy

Buckeye_Sam

20 Dec 2004, 3:32am

Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {8821A22F-27B6-4389-AD61-5E8ADB84844B} - C:\WINDOWS\System32\ccpd.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [C:\WINDOWS\rpfvvj.exe] C:\WINDOWS\rpfvvj.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [i5MGtZ] C:\WINDOWS\jaxktmm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Please delete these files using Windows Explorer(if present):
C:\WINDOWS\zeta.exe
C:\WINDOWS\jaxktmm.exe
C:\windows\system32\kalvghj32.exe
C:\WINDOWS\rpfvvj.exe

Please delete these folders using Windows Explorer(if present):
C:\Program Files\SurfSideKick 2
C:\Program Files\Web_Rebates
C:\Program Files\ISTsvc
C:\Program Files\Power Scan
C:\Program Files\Internet Optimizer
C:\Program Files\BullsEye Network
C:\Program Files\NaviSearch
C:\Program Files\CashBack

Please find this folder and delete everything in it, but not the folder itself.
C:\Windows\Prefetch

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL�s
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives

Click on the Advanced button on the left and select:

* Include additional process information
* Include additional file information
* Include environment information

Click the Tweak button and select:

* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

* Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer.

Now please download and install Spyware Blaster(link below) and post a new hijackthis log.

hockey05

20 Dec 2004, 4:11am

quick question what do you want me to do in safe mode? just make it so i can see hidden files?

Buckeye_Sam

20 Dec 2004, 11:11pm

Do everything in safe mode up until the Adaware scan finishes and you reboot back into normal mode.

hockey05

21 Dec 2004, 1:22am

thanks for your help so far
few questions:
-i have a new file on my desktop "desktop.ini" (its just a notebook file though)
-i forgot to save the log file from adaware (took about 30 minutes to delete everything)
-i have not ran spyware blaster yet
-i did not find all those files and folders to delete (guess adaware deleted them)

new HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 6:06:47 PM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.813\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

hockey05

21 Dec 2004, 1:24am

o yeah should i re-hide those files that you had me unhide ?

Buckeye_Sam

21 Dec 2004, 1:46am

o yeah should i re-hide those files that you had me unhide ?

Not yet. You still have some problems. I'll post with more instructions for you within an hour or two.

Buckeye_Sam

21 Dec 2004, 1:58am

Or sooner.

Please download this tool.

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

-Unzip the contents of finditnt2000xp.zip to a convenient location.
-Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
-A command prompt will open and it will search your computer for malicious files.
-Once it has finished a Notepad window will pop up with output.txt.
-Copy the entire contents of output.txt into your next post.

hockey05

21 Dec 2004, 5:47pm

this is long :

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/20/2004 11:48 PM 224,623 gpn8l35u1.dll
12/20/2004 06:06 PM 224,623 jt4407hqe.dll
12/20/2004 05:57 PM 226,177 m4nqle551h.dll
12/19/2004 09:42 AM 222,881 dn4601hse.dll
12/18/2004 09:23 AM 223,829 d0j00a1med.dll
12/17/2004 03:05 PM 225,599 jtp8077ue.dll
12/16/2004 08:29 PM 225,320 f00olad31d0.dll
12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
02/01/2004 04:14 PM 1,104 FmrCj.a90
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
91 File(s) 4,887,349 bytes
2 Dir(s) 48,060,633,088 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,060,624,896 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:16 AM 224,623 guard.tmp
1 File(s) 224,623 bytes
0 Dir(s) 48,060,624,896 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:16 AM 224,623 guard.tmp
09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
4 File(s) 5,778,312 bytes
0 Dir(s) 48,060,620,800 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4407hqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Buckeye_Sam

21 Dec 2004, 10:52pm

Good job! I know it's long, but it shows exactly what we need to see.

Download Killbox.

http://www.downloads.subratam.org/KillBox.zip

1. Unzip the contents of KillBox.zip to a convenient location.
2. Double-click on KillBox.exe.
3. Click "Replace on Reboot" and check the "Use Dummy" box.
4. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\gpn8l35u1.dll

5. Click the "Delete File" button which looks like a stop sign.
6. Click "Yes" at the Replace on Reboot prompt.
7. Click "No" at the Pending Operations prompt.
8. Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\jt4407hqe.dll

C:\WINDOWS\System32\m4nqle551h.dll

C:\WINDOWS\System32\dn4601hse.dll

C:\WINDOWS\System32\d0j00a1med.dll

C:\WINDOWS\System32\jtp8077ue.dll

C:\WINDOWS\System32\f00olad31d0.dll

9. Click "Replace on Reboot" and check the "Use Dummy" box.
10. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

11. Click the "Delete File" button which looks like a stop sign.
12. Click "Yes" at the Replace on Reboot prompt.
13. Click "Yes" at the Pending Operations prompt to restart your computer.
14. Double-click on find.bat and post the new output.txt.

hockey05

22 Dec 2004, 5:36am

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/20/2004 05:57 PM 226,177 m4nqle551h.dll
12/19/2004 09:42 AM 222,881 dn4601hse.dll
12/18/2004 09:23 AM 223,829 d0j00a1med.dll
12/17/2004 03:05 PM 225,599 jtp8077ue.dll
12/16/2004 08:29 PM 225,320 f00olad31d0.dll
12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
89 File(s) 4,438,103 bytes
2 Dir(s) 48,029,081,600 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,029,073,408 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:08 PM 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 48,029,073,408 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:08 PM 56 Guard.tmp
09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
4 File(s) 5,553,745 bytes
0 Dir(s) 48,029,069,312 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpn8l35u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Buckeye_Sam

23 Dec 2004, 1:48am

Well, we got rid of some of the bad files, but not all of them.

Disconnect from the internet.

Next, start Killbox and click on Tools->Delete Temp Files.
Then click File ->Delete all dummy files.

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\System32\m4nqle551h.dll

C:\WINDOWS\System32\dn4601hse.dll

C:\WINDOWS\System32\d0j00a1med.dll

C:\WINDOWS\System32\jtp8077ue.dll

C:\WINDOWS\System32\f00olad31d0.dll

C:\WINDOWS\System32\Guard.tmp

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

When it reboots, please post a new Find.bat log and a new Hijack This log.

hockey05

23 Dec 2004, 5:10am

ok all of those files deleted
new log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
02/01/2004 04:14 PM 1,104 FmrCj.a90
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
84 File(s) 3,314,297 bytes
2 Dir(s) 48,145,137,664 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,145,129,472 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
3 File(s) 5,553,689 bytes
0 Dir(s) 48,145,125,376 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpn8l35u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Buckeye_Sam

23 Dec 2004, 2:36pm

Looking good. All the bad files are gone. Now we need to repair some of your registry entries.

Copy this text into notepad and save as fix.reg Then double click on it. When it asks you if you want to merge this information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]

Is your recycle bin working properly? Please post a new find.bat log and a hijackthis log.

hockey05

23 Dec 2004, 7:19pm

ok it added it can i delete taht file now off of my desktop?
and no my recycle bin is not working properly

find.bat log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
02/01/2004 04:14 PM 1,104 FmrCj.a90
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
84 File(s) 3,314,297 bytes
2 Dir(s) 48,093,179,904 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,093,171,712 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
3 File(s) 5,553,689 bytes
0 Dir(s) 48,093,167,616 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 4:16:50 PM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.360\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1D6788D7-D1C8-4896-A508-D1E5E79610A6} - C:\WINDOWS\System32\jkn.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O18 - Filter: text/html - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O18 - Filter: text/plain - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

24 Dec 2004, 12:59am

The reg file did it's job, so yes, you can delete it now. It looks like the VX2 is gone from your log. We've got a few more things to clean up and then you should be fine.

Download VX2Finder from here.

http://www.downloads.subratam.org/VX2Finder.exe

Double-click on VX2Finder.exe.
Click "Restore Policy".
In the File menu click "Exit".

Now double-click on KillBox.exe.
In the File menu click "Delete all Dummy files".
In the Tools menu click "Delete Temp Files".
Choose "Standard File Kill" if not already selected.
Paste these files one by one into the top "Full Path of File to Delete" box.

<B>C:\RECYCLER\desktop.ini</B>

<B>C:\WINDOWS\System32\drivers\etc\HOSTS</B>

Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Confirm Delete prompt.
It should give you a successful "File was deleted" prompt for each one.

Now let's use Hijackthis to get rid of some more junk.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1D6788D7-D1C8-4896-A508-D1E5E79610A6} - C:\WINDOWS\System32\jkn.dll
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - Global Startup: strings.exe
O18 - Filter: text/html - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O18 - Filter: text/plain - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)

Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3

Please delete these files using Windows Explorer(if present):
C:\WINDOWS\System32\jkn.dll
C:\WINDOWS\System32\angelex.exe
strings.exe

Please delete this folder using Windows Explorer(if present):
C:\PROGRAM FILES\IEMENU~1

Reboot back into normal mode.

Please get an online virus scan.
http://housecall.trendmicro.com/

or

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

That should take care of all but one last problem. Please post a new hijackthis log so we can see what's left to deal with.

hockey05

27 Dec 2004, 8:35am

C:\WINDOWS\System32\angelex.exe
couldnt find this file

i ran the pandasoftware.com virus scan until it was a lil more than half way done and its takeing forever i dont have time right now so far it found 28 infected files what do you want me to do when it finishes?

thanks for your help so far

Buckeye_Sam

28 Dec 2004, 2:47am

If it took that long you probably have a lot of files in your system restore. So let's flush them out since they're probably infected anyways.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

I don't see an antivirus program in your log. AVG is a very good antivirus program and it's free for personal use. Please download, install, update, and run a full system scan.

http://free.grisoft.com/softw/70free/setup/avg70free_298a417.exe

It should go much faster than the online scan. Once it's done please post a new hijackthis log so we can make sure you're clean.

hockey05

28 Dec 2004, 7:14am

alright what the f*ck
i downloaded that program i ran it and in the middle of it a window poped up and said it found a virus and it had a couple options so i clicked delete now and then that program closed my internet stopped working, i flipped the power switch and it still doesnt work, im on my dads computer right now
now my internet doesnt work at all on that computer

alright i did a system restore on it, still doesnt work, but whenever i open a internet app. (aim,IE,firefox) a window from that AVG program pops up and says "detected virus" here is the file "C:\windows\system32\sqlfhig.dll"
trojan horse back door agent.b/t or something wtf do i do please help

Buckeye_Sam

28 Dec 2004, 6:17pm

Download LSPFix from http://www.cexx.org/LSPFix.exe and run it. It's small enough to save to a disk and move to the computer without Internet access.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of this file.

calsp.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.

Reboot and see if that restores your internet access.

hockey05

29 Dec 2004, 6:08pm

ok that fixed it thanks
can you give me a run down on how to run AVG and ill post a new HJT log now

Logfile of HijackThis v1.99.0
Scan saved at 11:53:31 AM, on 12/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.485\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nick\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nick\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {2E962545-2ED1-4361-93C0-1E017E9353DB} - C:\WINDOWS\System32\adkhpkb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O18 - Filter: text/html - {A2D0871D-C6EC-4087-A5A4-76AE7D8F1983} - C:\WINDOWS\System32\adkhpkb.dll
O18 - Filter: text/plain - {A2D0871D-C6EC-4087-A5A4-76AE7D8F1983} - C:\WINDOWS\System32\adkhpkb.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqlfhig.dll
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

30 Dec 2004, 2:13am

Before you run AVG, please download and install CWShredder. Don't run it yet.

http://cwshredder.net/bin/CWSInstall.exe

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nick\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Nick\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {2E962545-2ED1-4361-93C0-1E017E9353DB} - C:\WINDOWS\System32\adkhpkb.dll
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - Global Startup: strings.exe
O18 - Filter: text/html - {A2D0871D-C6EC-4087-A5A4-76AE7D8F1983} - C:\WINDOWS\System32\adkhpkb.dll
O18 - Filter: text/plain - {A2D0871D-C6EC-4087-A5A4-76AE7D8F1983} - C:\WINDOWS\System32\adkhpkb.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\sqlfhig.dll

Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\System32\adkhpkb.dll
C:\PROGRA~1\IEMENU~1 <-- this folder
strings.exe
C:\WINDOWS\System32\sqlfhig.dll

Now run CWShredder. Close all windows and click "Fix".

Now let's run AVG while in Safe Mode.
Double click on the desktop icon.
Click on Updates to check for and install any updates.
Click on Scan My Computer to scan.

Reboot back to normal mode and post a new hijackthis log.

hockey05

1 Jan 2005, 9:54pm

i couldnt delete these files
C:\PROGRA~1\IEMENU~1 <-- this folder
strings.exe
C:\WINDOWS\System32\sqlfhig.dll

and AVG deleted 210 files

new HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 2:38:41 PM, on 1/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Nick\Application Data\osbr.exe
C:\WINDOWS\System32\w?nspool.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.485\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Traa] C:\Documents and Settings\Nick\Application Data\osbr.exe
O4 - HKCU\..\Run: [Fgcywaqy] C:\WINDOWS\System32\w?nspool.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

1 Jan 2005, 11:15pm

i couldnt delete these files
C:\PROGRA~1\IEMENU~1 <-- this folder
strings.exe
C:\WINDOWS\System32\sqlfhig.dll

Were you still in Safe Mode when you tried to delete them? What error message did you get?

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O4 - HKCU\..\Run: [Traa] C:\Documents and Settings\Nick\Application Data\osbr.exe
O4 - HKCU\..\Run: [Fgcywaqy] C:\WINDOWS\System32\w?nspool.exe

Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3

Please delete these files using Windows Explorer(if present):
C:\Documents and Settings\Nick\Application Data\osbr.exe
C:\WINDOWS\System32\w?nspool.exe
C:\PROGRA~1\IEMENU~1 <-- this folder
strings.exe
C:\WINDOWS\System32\sqlfhig.dll

If you get an error when trying to delete these files try this:

Right click on the files and select Properties
Uncheck the box marked Read-only
Now rename the file and delete it.

Run a full scan with AVG.

Reboot back to normal mode and post a new hijackthis log.

hockey05

13 Jan 2005, 2:30am

hey thanks so much for your help

new HJT log

Logfile of HijackThis v1.99.0
Scan saved at 7:15:08 PM, on 1/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\w?nspool.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Nick\Application Data\osbr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Games\Halo Custom Edition\haloce.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\~f1d055.tmp
C:\Documents and Settings\Nick\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Fgcywaqy] C:\WINDOWS\System32\w?nspool.exe
O4 - HKCU\..\Run: [Traa] C:\Documents and Settings\Nick\Application Data\osbr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

13 Jan 2005, 2:34am

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

dir C:\WINDOWS\system32\w?nspool.exe /a h > files.txt
notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.