need help with removing home search assistant

hockey05

ok ive gotten rid of this before and the damn thing just came back
ive been trying to get rid of it but i dont know which entries to delete in hijackthis

new log below

please help me
thank you

SpywareShooter

Please upgrade to HijackThis version 1.99.0 and post a new log.

hockey05

sry i didnt know there was a new one

Logfile of HijackThis v1.99.0
Scan saved at 4:53:19 PM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\apizw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msmb.exe
C:\WINDOWS\System32\MgzxCD.exe
C:\WINDOWS\System32\Ere6A.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\3dsmax7\3dsmax.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\AdskCleanup.0001
C:\DOCUME~1\Nick\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\AIM\aim.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.453\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {C68539AC-6CD1-A082-BEB2-8A3A1C72F103} - C:\WINDOWS\system32\mskb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\Jvy1Wb1a.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd01329.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/Bridge-c139.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

SpywareShooter

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\etgqv.dll/sp.html#31693
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windo ws\System32\wsaupdater.exe,
O2 - BHO: (no name) - {C68539AC-6CD1-A082-BEB2-8A3A1C72F103} - C:\WINDOWS\system32\mskb.dll
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://www.accessoveloce.com/nd/nd01329.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...Bridge-c139.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

Fix those entries then find and delete the files listed above, reboot and post a new log.

hockey05

ok thanks for your help so far

Logfile of HijackThis v1.99.0
Scan saved at 10:11:16 PM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\msmb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\apizw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\MgzxCD.exe
C:\WINDOWS\System32\Mml180.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.953\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {714795AE-B851-C38C-644A-A0910EFC29CE} - C:\WINDOWS\system32\apirf32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\HotEkc.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

SpywareShooter

O2 - BHO: (no name) - {714795AE-B851-C38C-644A-A0910EFC29CE} - C:\WINDOWS\system32\apirf32.dll
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [apizw32.exe] C:\WINDOWS\apizw32.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\system32\msmb.exe

Fix those entries then find and delete the following files:
C:\WINDOWS\system32\apirf32.dll
C:\windows\system32\kalvghj32.exe
C:\WINDOWS\apizw32.exe
C:\WINDOWS\system32\msmb.exe

Then pull the plug and post a new log.

hockey05

new log:

Logfile of HijackThis v1.99.0
Scan saved at 9:34:10 AM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\Mxgo.exe
C:\WINDOWS\System32\Ere6A.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.968\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\Bsbj0i6.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

SpywareShooter

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xroga.dll/sp.html#31693

Fix those entries then find and deltee xroga.dll, pull the plug and post a new log.

hockey05

Logfile of HijackThis v1.99.0
Scan saved at 7:59:40 PM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\Dsu6.exe
C:\WINDOWS\System32\MgzxCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.407\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [4ZPCLRM5WSBQX6] C:\WINDOWS\System32\Bsbj0i6.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

You've still got several issues here. Let's take them one at a time.


Download Newuninst.exe
http://downloads.subratam.org/Newuninst.exe

Double click on 'Newuninst.exe' and press *Uninstall*. Let it run and when the progress bar says *complete* you can then press *close*. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall requests access. It will just run and then close.

Reboot and post a new hijackthis log.

hockey05

ok i downloaded that program and ran it then rebooted
new log:

Logfile of HijackThis v1.99.0
Scan saved at 9:42:43 AM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\exdl1.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\Program Files\SurfSideKick 2\SskBho.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10650.dll' missing
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

Good job! The Peper trojan is gone.

Next step...


Download LSPFix from http://www.cexx.org/LSPFix.exe and run it.

Check the I know what I'm doing box.

In the Keep box you should see one or more instances of the following files.

xfire_lsp_10650.dll

Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.

When you are done click Finish>>.



Please post a new hijackthis log.

hockey05

xfire_lsp_10650.dll that file is in the remove box
mswsock.dll, winrnr.dll,rsvpsp.dll is all thats in the "keep" box

so im sorta confused

Buckeye_Sam

That's perfect. Just click Finish.

hockey05

i didnt reboot

Logfile of HijackThis v1.99.0
Scan saved at 1:16:21 PM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\rpfvvj.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\jaxktmm.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.641\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {8821A22F-27B6-4389-AD61-5E8ADB84844B} - C:\WINDOWS\System32\ccpd.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [C:\WINDOWS\rpfvvj.exe] C:\WINDOWS\rpfvvj.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [i5MGtZ] C:\WINDOWS\jaxktmm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O18 - Filter: text/html - {58FF3115-41D6-4283-865F-FEBA7A8CDED5} - C:\WINDOWS\System32\ccpd.dll
O18 - Filter: text/plain - {58FF3115-41D6-4283-865F-FEBA7A8CDED5} - C:\WINDOWS\System32\ccpd.dll
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

hockey05

o yeah im getting pop-ups like crazy

Buckeye_Sam

Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.




Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.



Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3




Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O2 - BHO: (no name) - {8821A22F-27B6-4389-AD61-5E8ADB84844B} - C:\WINDOWS\System32\ccpd.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvghj32.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [C:\WINDOWS\rpfvvj.exe] C:\WINDOWS\rpfvvj.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [i5MGtZ] C:\WINDOWS\jaxktmm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe




Please delete these files using Windows Explorer(if present):
C:\WINDOWS\zeta.exe
C:\WINDOWS\jaxktmm.exe
C:\windows\system32\kalvghj32.exe
C:\WINDOWS\rpfvvj.exe



Please delete these folders using Windows Explorer(if present):
C:\Program Files\SurfSideKick 2
C:\Program Files\Web_Rebates
C:\Program Files\ISTsvc
C:\Program Files\Power Scan
C:\Program Files\Internet Optimizer
C:\Program Files\BullsEye Network
C:\Program Files\NaviSearch
C:\Program Files\CashBack




Please find this folder and delete everything in it, but not the folder itself.
C:\Windows\Prefetch




Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

* Automatically save log-file
* Automatically quarantine objects prior to removal
* Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

* Scan Within Archives
* Scan Active Processes
* Scan Registry
* Deep Scan Registry
* Scan my IE favorites for banned URL’s
* Scan my Hosts file
* Under Click here to select drives + folders, choose:
* All of your hard drives

Click on the Advanced button on the left and select:

* Include additional process information
* Include additional file information
* Include environment information

Click the Tweak button and select:

* Under the Scanning Engine:
o Unload recognized processes & modules during scan
o Include additional Ad-aware settings in logfile
* Under the Cleaning Engine:
o Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

* Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer.




Now please download and install Spyware Blaster(link below) and post a new hijackthis log.

hockey05

quick question what do you want me to do in safe mode? just make it so i can see hidden files?

Buckeye_Sam

Do everything in safe mode up until the Adaware scan finishes and you reboot back into normal mode.

hockey05

thanks for your help so far
few questions:
-i have a new file on my desktop "desktop.ini" (its just a notebook file though)
-i forgot to save the log file from adaware (took about 30 minutes to delete everything)
-i have not ran spyware blaster yet
-i did not find all those files and folders to delete (guess adaware deleted them)

new HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 6:06:47 PM, on 12/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.813\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

hockey05

o yeah should i re-hide those files that you had me unhide ?

Buckeye_Sam

hockey05 wrote:

o yeah should i re-hide those files that you had me unhide ?

Not yet. You still have some problems. I'll post with more instructions for you within an hour or two.

Buckeye_Sam

Or sooner.



Please download this tool.

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

-Unzip the contents of finditnt2000xp.zip to a convenient location.
-Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
-A command prompt will open and it will search your computer for malicious files.
-Once it has finished a Notepad window will pop up with output.txt.
-Copy the entire contents of output.txt into your next post.

hockey05

this is long :

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

---

System Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/20/2004 11:48 PM 224,623 gpn8l35u1.dll
12/20/2004 06:06 PM 224,623 jt4407hqe.dll
12/20/2004 05:57 PM 226,177 m4nqle551h.dll
12/19/2004 09:42 AM 222,881 dn4601hse.dll
12/18/2004 09:23 AM 223,829 d0j00a1med.dll
12/17/2004 03:05 PM 225,599 jtp8077ue.dll
12/16/2004 08:29 PM 225,320 f00olad31d0.dll
12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
02/01/2004 04:14 PM 1,104 FmrCj.a90
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
91 File(s) 4,887,349 bytes
2 Dir(s) 48,060,633,088 bytes free

---

Hidden Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,060,624,896 bytes free

---

Files Named "Guard"

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:16 AM 224,623 guard.tmp
1 File(s) 224,623 bytes
0 Dir(s) 48,060,624,896 bytes free

---

Temp Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:16 AM 224,623 guard.tmp
09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
4 File(s) 5,778,312 bytes
0 Dir(s) 48,060,620,800 bytes free

---

User Agent

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

---

Keys Under Notify

---

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=&quot;"
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4407hqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---

Locate.com Results

---

---

Strings.exe Aspack Results

---

---

HKLM Run Key

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Buckeye_Sam

Good job! I know it's long, but it shows exactly what we need to see.

Download Killbox.

http://www.downloads.subratam.org/KillBox.zip


1. Unzip the contents of KillBox.zip to a convenient location.
2. Double-click on KillBox.exe.
3. Click "Replace on Reboot" and check the "Use Dummy" box.
4. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\gpn8l35u1.dll

5. Click the "Delete File" button which looks like a stop sign.
6. Click "Yes" at the Replace on Reboot prompt.
7. Click "No" at the Pending Operations prompt.
8. Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\jt4407hqe.dll

C:\WINDOWS\System32\m4nqle551h.dll

C:\WINDOWS\System32\dn4601hse.dll

C:\WINDOWS\System32\d0j00a1med.dll

C:\WINDOWS\System32\jtp8077ue.dll

C:\WINDOWS\System32\f00olad31d0.dll

9. Click "Replace on Reboot" and check the "Use Dummy" box.
10. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

11. Click the "Delete File" button which looks like a stop sign.
12. Click "Yes" at the Replace on Reboot prompt.
13. Click "Yes" at the Pending Operations prompt to restart your computer.
14. Double-click on find.bat and post the new output.txt.

hockey05

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

---

System Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/20/2004 05:57 PM 226,177 m4nqle551h.dll
12/19/2004 09:42 AM 222,881 dn4601hse.dll
12/18/2004 09:23 AM 223,829 d0j00a1med.dll
12/17/2004 03:05 PM 225,599 jtp8077ue.dll
12/16/2004 08:29 PM 225,320 f00olad31d0.dll
12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
89 File(s) 4,438,103 bytes
2 Dir(s) 48,029,081,600 bytes free

---

Hidden Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,029,073,408 bytes free

---

Files Named "Guard"

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:08 PM 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 48,029,073,408 bytes free

---

Temp Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/21/2004 10:08 PM 56 Guard.tmp
09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
4 File(s) 5,553,745 bytes
0 Dir(s) 48,029,069,312 bytes free

---

User Agent

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

---

Keys Under Notify

---

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpn8l35u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=&quot;"
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---

Locate.com Results

---

---

Strings.exe Aspack Results

---

---

HKLM Run Key

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Buckeye_Sam

Well, we got rid of some of the bad files, but not all of them.

Disconnect from the internet.

Next, start Killbox and click on Tools->Delete Temp Files.
Then click File ->Delete all dummy files.

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:


C:\WINDOWS\System32\m4nqle551h.dll

C:\WINDOWS\System32\dn4601hse.dll

C:\WINDOWS\System32\d0j00a1med.dll

C:\WINDOWS\System32\jtp8077ue.dll

C:\WINDOWS\System32\f00olad31d0.dll

C:\WINDOWS\System32\Guard.tmp


For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

When it reboots, please post a new Find.bat log and a new Hijack This log.

hockey05

ok all of those files deleted
new log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

---

System Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
02/01/2004 04:14 PM 1,104 FmrCj.a90
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
84 File(s) 3,314,297 bytes
2 Dir(s) 48,145,137,664 bytes free

---

Hidden Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,145,129,472 bytes free

---

Files Named "Guard"

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

---

Temp Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
3 File(s) 5,553,689 bytes
0 Dir(s) 48,145,125,376 bytes free

---

User Agent

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

---

Keys Under Notify

---

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpn8l35u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=&quot;"
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---

Locate.com Results

---

---

Strings.exe Qoologic Results

---

---

Strings.exe Aspack Results

---

---

HKLM Run Key

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Buckeye_Sam

Looking good. All the bad files are gone. Now we need to repair some of your registry entries.

Copy this text into notepad and save as fix.reg Then double click on it. When it asks you if you want to merge this information to the registry click Yes.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]

Is your recycle bin working properly? Please post a new find.bat log and a hijackthis log.

hockey05

ok it added it can i delete taht file now off of my desktop?
and no my recycle bin is not working properly

find.bat log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Nick\Desktop\Find It NT-2K-XP

---

System Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
02/01/2004 04:14 PM 1,104 FmrCj.a90
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
07/17/2003 12:29 AM <DIR> Microsoft
84 File(s) 3,314,297 bytes
2 Dir(s) 48,093,179,904 bytes free

---

Hidden Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

12/12/2004 01:17 AM 56,320 hfprx.dll
12/11/2004 08:59 PM 56,320 xroga.dll
12/10/2004 09:10 AM 56,320 hguap.dll
12/08/2004 08:20 AM 11,307 ieuw32.exe
12/04/2004 01:36 AM 56,320 cdphs.dll
12/03/2004 11:53 AM 56,320 etgqv.dll
12/02/2004 05:56 AM 99,698 mskb.dll
12/01/2004 03:56 PM 56,320 katrz.dll
11/26/2004 10:51 PM <DIR> DLLCACHE
11/19/2004 07:41 AM 10,956 atlwt32.exe
11/19/2004 07:17 AM 10,894 addva.exe
11/15/2004 02:12 PM 11,613 apiyn32.exe
11/14/2004 09:12 PM 10,994 sdkha32.exe
11/12/2004 01:08 PM 10,935 winpo.exe
11/12/2004 03:31 AM 11,190 iedr.exe
11/12/2004 03:25 AM 11,371 msmb.exe
11/10/2004 09:58 AM 56,320 kghfk.dll
11/07/2004 08:41 AM 11,443 javamx32.exe
11/06/2004 10:56 AM 3,362 tagkl.txt
11/05/2004 10:08 AM 11,489 crtp32.exe
11/05/2004 04:50 AM 97,228 apivx32.dll
11/01/2004 07:59 PM 11,609 msfb32.exe
10/25/2004 03:24 PM 3,362 rwnhj.log
10/22/2004 07:04 AM 10,652 mseu.exe
10/16/2004 04:27 PM 3,362 diprn.txt
10/08/2004 06:59 PM 512 Oval73H.j9r
10/03/2004 09:48 PM 488 logonui.exe.manifest
10/03/2004 09:48 PM 488 WindowsLogon.manifest
10/03/2004 09:48 PM 749 cdplayer.exe.manifest
10/03/2004 09:48 PM 749 sapi.cpl.manifest
10/03/2004 09:48 PM 749 wuaucpl.cpl.manifest
10/03/2004 09:48 PM 749 ncpa.cpl.manifest
10/03/2004 09:48 PM 749 nwc.cpl.manifest
10/03/2004 08:04 PM 1,104 VchsZQoq.fye
09/06/2004 06:06 PM 512 Boi5X.8v1
09/06/2004 06:06 PM 1,104 Cjo9g.x89
09/04/2004 06:05 PM 1,104 TafqX5mo.dwc
08/25/2004 05:21 PM 1,104 Tmou.akh
08/12/2004 04:02 PM 1,104 Dwy13U.6sz
08/07/2004 12:11 PM 253,962 Tovr.exe
08/07/2004 12:11 PM 253,962 Exl331lH.exe
08/07/2004 12:11 PM 253,962 Nlxxb.exe
08/07/2004 12:11 PM 253,962 Weozlc.exe
08/07/2004 12:11 PM 253,962 TczOOJ3.exe
08/07/2004 12:11 PM 253,962 YfePY0.exe
08/07/2004 12:11 PM 499,722 QmtPCB55.exe
08/07/2004 12:11 PM 499,722 LsxI52.exe
07/18/2004 07:28 PM 1,104 MtyJ62F.g8o
07/14/2004 07:27 PM 1,104 BnyLS.46s
07/02/2004 10:45 AM 1,104 IpvFme.017
06/27/2004 03:37 PM 1,104 FmsCj.b90
06/04/2004 10:08 AM 1,188 Szep85ln.cua
06/02/2004 05:12 PM 1,188 CizmkYXS.9v1
05/25/2004 08:28 PM 1,020 Anh4V.7ub
05/25/2004 08:20 PM 1,020 Bin9f.w78
05/23/2004 07:20 PM 1,188 Dkp0h.y89
03/26/2004 09:26 PM 1,104 Bin9f.w88
03/11/2004 09:40 PM 1,020 Elr0i.a99
03/11/2004 09:40 PM 1,020 MtyJ62F.h8o
03/09/2004 09:40 PM 1,020 Pywf2.5f4
03/08/2004 09:39 PM 1,020 Zsu0g.65o
03/06/2004 04:32 PM 1,020 LsxI5g.e28
02/21/2004 03:19 PM 1,180 Bin9.fw7
02/13/2004 04:25 PM 1,104 Pwbm74i.k9s
02/07/2004 04:24 PM 1,104 VcisZRoq.fye
02/03/2004 04:14 PM 1,104 Fmr0i.a99
02/01/2004 04:14 PM 1,104 FmrCj.a90
02/01/2004 04:14 PM 1,104 MtyJ62F.h8p
01/31/2004 04:14 PM 1,020 IpuFmd.017
01/31/2004 04:14 PM 1,020 Cjo9f.x88
01/31/2004 04:14 PM 1,104 Qxcn74j.lat
01/31/2004 04:14 PM 1,104 LsxI52.eg8
01/31/2004 02:02 AM 4,212 zllictbl.dat
01/25/2004 02:59 PM 1,104 Atv0h.65p
01/19/2004 05:54 PM 1,020 Gmdq.5cb
01/19/2004 05:54 PM 1,020 Ekbo.4az
01/19/2004 05:51 PM 1,020 Sxp0A5.53p
01/18/2004 09:41 PM 1,020 Cjo9g.y89
01/18/2004 09:41 PM 1,104 UzqDC55.3qm
01/17/2004 12:29 AM 1,104 Nsj8V.3i1
01/08/2004 06:07 PM 1,104 VchsZRoq.fye
01/07/2004 06:06 PM 1,104 KrwH5f.d27
01/06/2004 06:06 PM 1,104 AlwJR.j5r
01/04/2004 06:06 PM 1,104 WditZRpq.fye
01/03/2004 06:06 PM 1,020 Qxcn74j.las
01/03/2004 06:06 PM 1,104 Cjp9g.y89
12/31/2003 06:05 PM 1,104 UbgrYPnp.ewd
12/29/2003 06:05 PM 1,104 AlwKR.j5r
12/27/2003 03:39 PM 1,104 Rydo84km.bua
12/24/2003 03:37 PM 1,104 Zgl8.du7
12/22/2003 03:37 PM 1,104 Qwcm74j.k9s
12/21/2003 03:37 PM 1,104 NuzK63G.i8p
12/20/2003 03:37 PM 1,104 GnsDk.b90
92 File(s) 3,323,230 bytes
1 Dir(s) 48,093,171,712 bytes free

---

Files Named "Guard"

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

---

Temp Files in System32 Directory

---

Volume in drive C has no label.
Volume Serial Number is DC2F-09E2

Directory of C:\WINDOWS\System32

09/22/2004 06:46 PM 5,550,080 setb6.tmp
07/04/2004 10:30 PM 1,032 tmpmpt1.tmp
08/29/2002 04:00 AM 2,577 CONFIG.TMP
3 File(s) 5,553,689 bytes
0 Dir(s) 48,093,167,616 bytes free

---

User Agent

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1BC08A78-0F96-40A0-90C5-BC0D8801CE4F}"=""

---

Keys Under Notify

---

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=&quot;"
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---

Locate.com Results

---

---

Strings.exe Qoologic Results

---

---

Strings.exe Aspack Results

---

---

HKLM Run Key

---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IE Menu Extension toolbar"="rundll32.exe \"C:\\PROGRA~1\\IEMENU~1\\tbextn.dll\" DllShowTB"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 4:16:50 PM, on 12/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Nick\LOCALS~1\Temp\Rar$EX00.360\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1D6788D7-D1C8-4896-A508-D1E5E79610A6} - C:\WINDOWS\System32\jkn.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {49DEC3C0-C71A-11D4-BA38-000102621B9B} - http://www.cursorskins.com/lib/cursorskins1/MouseMagicCS.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4308/mcfscan.cab
O18 - Filter: text/html - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O18 - Filter: text/plain - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O23 - Service: Autodesk Licensing Service - Unknown - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam

The reg file did it's job, so yes, you can delete it now. It looks like the VX2 is gone from your log. We've got a few more things to clean up and then you should be fine.


Download VX2Finder from here.

http://www.downloads.subratam.org/VX2Finder.exe


Double-click on VX2Finder.exe.
Click "Restore Policy".
In the File menu click "Exit".



Now double-click on KillBox.exe.
In the File menu click "Delete all Dummy files".
In the Tools menu click "Delete Temp Files".
Choose "Standard File Kill" if not already selected.
Paste these files one by one into the top "Full Path of File to Delete" box.

<B>C:\RECYCLER\desktop.ini</B>

<B>C:\WINDOWS\System32\drivers\etc\HOSTS</B>


Click the "Delete File" button which looks like a stop sign.
Click "Yes" at the Confirm Delete prompt.
It should give you a successful "File was deleted" prompt for each one.




Now let's use Hijackthis to get rid of some more junk.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1D6788D7-D1C8-4896-A508-D1E5E79610A6} - C:\WINDOWS\System32\jkn.dll
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - Global Startup: strings.exe
O18 - Filter: text/html - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O18 - Filter: text/plain - {515E5652-4788-4CB1-9F1F-7DF36AED2895} - C:\WINDOWS\System32\jkn.dll
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)



Boot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.



Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3



Please delete these files using Windows Explorer(if present):
C:\WINDOWS\System32\jkn.dll
C:\WINDOWS\System32\angelex.exe
strings.exe



Please delete this folder using Windows Explorer(if present):
C:\PROGRAM FILES\IEMENU~1



Reboot back into normal mode.




Please get an online virus scan.
http://housecall.trendmicro.com/

or

http://www.pandasoftware.com/activescan/com/activescan_principal.htm




That should take care of all but one last problem. Please post a new hijackthis log so we can see what's left to deal with.