looktome vx2 new varient infection?

Unknown
edited December 2004 in Spyware & Virus Removal
Hello, I've had a horrible few days trying to deal with what I believe is nasty malware. I may have downloaded and run something I shouldn't have when I was looking for a label program on the Internet. Since the 13 of December I have been downloading every kind of adware - spyware - trojon software that I could find. I currently have Spyware Blaster - Scan Spyware - Ad-aware SE Personal and Spybot Search and Destroy. I have downloaded CW Shredder - HiJack This - VX2Finder(126) - LPSFIX and several other programs to try and figure out how to get rid of this malware. My HOSTS file is totally compromised and is changed as fast as I edit it. I have immunized my system to block most of the malware but it is persistant. The only thing that has kept me being able to access the links that I want is to run ad-aware right after start-up , remove the VX2 and other malware and then use killadd popup blocker immediately upon accessing the internet. I usually get an error message [An exception occurred while trying to run ""C:\WINNT\System32\guard.tmp",uMonitor"

I have been reading the other threads and think that I have a new varient of the look2me/vx2 infection that kill2me doesn't eliminate. I would greatly appreciate any help I can get with regard to this problem. Regards (RevTed)

Comments

  • marty111
    edited December 2004
    in order to help you we will need a hijack this log post it in here then we will help you remove it
  • RevTed
    edited December 2004
    Thank you for the quick response - Here is my hijack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:19:22 PM, on 12/18/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINNT\system32\khooker.exe
    C:\WINNT\explorer.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\KillAdd\killad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\Ted1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38323.5929282407
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BB2C3D67-4ADB-4591-BD45-D58BCED2E420}: NameServer = 216.167.144.1 216.167.161.1
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Hi. First of all you need to update hijackthis to version 1.99. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.
    Please do the following;

    Click My Computer, then C:\
    In the menu bar, File->New->Folder.
    That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

    Download LSPfix from here
    On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

    Go to c:\winnt\system32\ and delete the file manually.

    Download and run VX2Finder(.exe).
    http://www.downloads.subratam.org/VX2Finder.exe

    Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

    Download these two tools:

    http://www.downloads.subratam.org/DllCompare.exe
    &
    http://www.downloads.subratam.org/KillBox.exe

    Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot until I say because all the filenames will change otherwise.
  • RevTed
    edited December 2004
    Here are the new log files, I ran the highjack file last - RevTed:

    Logfile of HijackThis v1.99.0
    Scan saved at 5:37:09 PM, on 12/18/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINNT\system32\khooker.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.mythnlynx.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.mythnlynx.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator

    5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE

    -r
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE

    4.0\SetHook.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

    http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp.

    - C:\WINNT\System32\dmadmin.exe
    O23 - Service: WebSeach Toolbar support NT service - Unknown -

    C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)





    Log for VX2.BetterInternet File Finder (msg126)

    Files Found---

    Additional Files---

    Keys Under Notify---
    App Paths
    AtiExtEvent
    crypt32chain
    cryptnet
    cscdll
    Reliability
    sclgntfy
    SensLogn
    wzcnotif


    Guardian Key--- is called:

    User Agent String---
    {BEDAB044-6242-43AF-8E51-AF2D4BC08938}



    * DLLCompare Log version(1.0.0.125)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    C:\WINNT\SYSTEM32\cammdlg.dll Mon Dec 13 2004 9:09:36p ..S.R 226,133

    220.83 K
    C:\WINNT\SYSTEM32\dbvacm.dll Mon Dec 13 2004 2:01:58p ..S.R 224,883

    219.61 K
    C:\WINNT\SYSTEM32\en8ul1~1.dll Tue Dec 14 2004 7:09:04a ..S.R 224,844

    219.57 K
    C:\WINNT\SYSTEM32\g2400c~1.dll Thu Dec 16 2004 5:03:14p ..S.R 224,488

    219.23 K
    C:\WINNT\SYSTEM32\gplsl3~1.dll Mon Dec 13 2004 8:49:38p ..S.R 223,074

    217.84 K
    C:\WINNT\SYSTEM32\h04mla~1.dll Sat Dec 18 2004 5:31:26p ..S.R 225,877

    220.58 K
    C:\WINNT\SYSTEM32\ianathlp.dll Mon Dec 13 2004 8:03:04p ..S.R 223,042

    217.81 K
    C:\WINNT\SYSTEM32\ikagx5.dll Mon Dec 13 2004 5:38:04p ..S.R 224,988

    219.71 K
    C:\WINNT\SYSTEM32\inmui.dll Tue Dec 14 2004 12:06:00p ..S.R 223,360

    218.13 K
    C:\WINNT\SYSTEM32\ir42l5~1.dll Mon Dec 13 2004 6:19:04p ..S.R 225,466

    220.18 K
    C:\WINNT\SYSTEM32\ir6ul5~1.dll Wed Dec 15 2004 8:42:20a ..S.R 225,325

    220.04 K
    C:\WINNT\SYSTEM32\jtn007~1.dll Tue Dec 14 2004 7:46:42p ..S.R 223,369

    218.13 K
    C:\WINNT\SYSTEM32\ktl4l7~1.dll Sat Dec 18 2004 12:38:24a ..S.R 224,069

    218.82 K
    C:\WINNT\SYSTEM32\ktp2l7~1.dll Sat Dec 18 2004 7:28:22a ..S.R 224,737

    219.47 K
    C:\WINNT\SYSTEM32\kydne.dll Mon Dec 13 2004 8:32:50p ..S.R 223,183

    217.95 K
    C:\WINNT\SYSTEM32\l62s0g~1.dll Tue Dec 14 2004 9:41:28p ..S.R 223,360

    218.13 K
    C:\WINNT\SYSTEM32\lcmac13n.dll Thu Dec 16 2004 11:29:56a ..S.R 224,234

    218.98 K
    C:\WINNT\SYSTEM32\lkafp13n.dll Mon Dec 13 2004 2:27:56p ..S.R 225,178

    219.90 K
    C:\WINNT\SYSTEM32\myxmlr.dll Wed Dec 15 2004 11:19:12a ..S.R 224,542

    219.28 K
    C:\WINNT\SYSTEM32\plstwpp.dll Sat Dec 18 2004 4:46:46p ..S.R 224,737

    219.47 K
    C:\WINNT\SYSTEM32\qwgrprxy.dll Mon Dec 13 2004 1:03:12p ..S.R 223,337

    218.10 K
    C:\WINNT\SYSTEM32\rvnd.dll Mon Dec 13 2004 3:05:12p ..S.R 223,716

    218.47 K
    C:\WINNT\SYSTEM32\whnrul~1.dll Mon Dec 13 2004 6:33:08p ..S.R 225,664

    220.38 K
    ________________________________________________

    1,155 items found: 1,155 files (23 H/S), 0 directories.
    Total of file sizes: 214,426,608 bytes 204.49 M

    Administrator Account = True
    End log
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    I am going through it now. Will not be long :).
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    It is important not to reboot until all the following files have been entered.

    Stay offline when doing the following fix.

    Open killbox and paste in C:\WINDOWS\SYSTEM32\C:\WINNT\SYSTEM32\cammdlg.dll

    With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

    Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
    A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

    Repeat the above for each of these;

    C:\WINNT\SYSTEM32\dbvacm.dll
    C:\WINNT\SYSTEM32\en8ul1~1.dll
    C:\WINNT\SYSTEM32\g2400c~1.dll
    C:\WINNT\SYSTEM32\gplsl3~1.dll
    C:\WINNT\SYSTEM32\h04mla~1.dll
    C:\WINNT\SYSTEM32\ianathlp.dll
    C:\WINNT\SYSTEM32\ikagx5.dll
    C:\WINNT\SYSTEM32\inmui.dll
    C:\WINNT\SYSTEM32\ir42l5~1.dll
    C:\WINNT\SYSTEM32\ir6ul5~1.dll
    C:\WINNT\SYSTEM32\jtn007~1.dll
    C:\WINNT\SYSTEM32\ktl4l7~1.dll
    C:\WINNT\SYSTEM32\ktp2l7~1.dll
    C:\WINNT\SYSTEM32\kydne.dll
    C:\WINNT\SYSTEM32\l62s0g~1.dll
    C:\WINNT\SYSTEM32\lcmac13n.dll
    C:\WINNT\SYSTEM32\lkafp13n.dll
    C:\WINNT\SYSTEM32\myxmlr.dll
    C:\WINNT\SYSTEM32\plstwpp.dll
    C:\WINNT\SYSTEM32\qwgrprxy.dll
    C:\WINNT\SYSTEM32\rvnd.dll
    C:\WINNT\SYSTEM32\whnrul~1.dll
    C:\Windows\System32\Guard.tmp

    On that last file, close all programs and Reboot your computer.

    Open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
    Right click on it and then edit. Copy and paste the results here.

    Post another log from dllcompare please. And another hijackthis log please.
  • RevTed
    edited December 2004
    Here is the latest group of log files - RevTed:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reliability]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\l28mlcl11fq.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\h04mlah11d4.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000



    * DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    C:\WINNT\SYSTEM32\cammdlg.dll Mon Dec 13 2004 9:09:36p ..S.R 226,133 220.83 K
    C:\WINNT\SYSTEM32\ir6ul5~1.dll Wed Dec 15 2004 8:42:20a ..S.R 225,325 220.04 K
    C:\WINNT\SYSTEM32\qwgrprxy.dll Mon Dec 13 2004 1:03:12p ..S.R 223,337 218.10 K
    C:\WINNT\SYSTEM32\rvnd.dll Mon Dec 13 2004 3:05:12p ..S.R 223,716 218.47 K
    ________________________________________________

    1,154 items found: 1,154 files (4 H/S), 0 directories.
    Total of file sizes: 210,164,521 bytes 200.43 M

    Administrator Account = True
    End log



    Logfile of HijackThis v1.99.0
    Scan saved at 7:11:54 PM, on 12/18/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINNT\system32\khooker.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mythnlynx.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: WebSeach Toolbar support NT service - Unknown - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Just spotted a typo I made in my previous post which is probably the reason there are still files to remove :(.

    Go offline now.

    Open killbox and paste in C:\WINNT\SYSTEM32\cammdlg.dll

    With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

    Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
    A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

    Repeat the above for each of these;

    C:\WINNT\SYSTEM32\ir6ul5~1.dll
    C:\WINNT\SYSTEM32\qwgrprxy.dll
    C:\WINNT\SYSTEM32\rvnd.dll
    C:\Windows\System32\Guard.tmp

    Reboot.

    Go here and download FindIt.zip to your Desktop, unzip it and open the the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.
    Post another dllcompare log too please.
  • RevTed
    edited December 2004
    Thank you for your patience. Here is the latest that you requested - RevTed:

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.
    System Files in System32 Directory

    Volume in drive C has no label.
    Volume Serial Number is C432-EAB0

    Directory of C:\WINNT\System32

    12/16/2004 01:57p <DIR> dllcache
    0 File(s) 0 bytes
    1 Dir(s) 30,733,938,688 bytes free
    Hidden Files in System32 Directory

    Volume in drive C has no label.
    Volume Serial Number is C432-EAB0

    Directory of C:\WINNT\System32

    12/16/2004 01:57p <DIR> dllcache
    12/02/2004 02:49p <DIR> GroupPolicy
    12/02/2004 02:44p 21,692 folder.htt
    12/02/2004 02:44p 271 desktop.ini
    2 File(s) 21,963 bytes
    2 Dir(s) 30,733,938,688 bytes free
    Files Named "Guard"

    Volume in drive C has no label.
    Volume Serial Number is C432-EAB0

    Directory of C:\WINNT\System32

    Temp Files in System32 Directory

    Volume in drive C has no label.
    Volume Serial Number is C432-EAB0

    Directory of C:\WINNT\System32

    12/07/1999 05:00a 2,577 CONFIG.TMP
    1 File(s) 2,577 bytes
    0 Dir(s) 30,733,938,688 bytes free
    User Agent

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

    Agent\Post Platform]
    "{BEDAB044-6242-43AF-8E51-AF2D4BC08938}"=""

    Keys Under Notify

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\Reliability]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\l28mlcl11fq.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
    "Asynchronous"=dword:00000000
    "DllName"="C:\\WINNT\\system32\\h04mlah11d4.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

    NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000

    Xfind Results

    'Xfind' is not recognized as an internal or external command,
    operable program or batch file.
    Locate.com Results




    * DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    O^E says: "There were no files found :)"
    ________________________________________________

    1,154 items found: 1,154 files, 0 directories.
    Total of file sizes: 209,266,234 bytes 199.57 M

    Administrator Account = True
    End log
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Looking better :).

    Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
    ie:

    C:\RECYCLER\Desktop.ini

    Click Red X to delete it.

    Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.

    Run VX2Finder and click the *Click to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.

    Open regedit and go to *HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify* and delete the *Reliability* sub-key and the *SharedDLLs* sub-key .
    NOTE. Please back up the *notify* key by exporting it to a safe location. Call it notify.reg.

    Please reboot when done and post an hijackthis log, a VX2Finder log and a dllcompare log.
  • RevTed
    edited December 2004
    System feels better already. Here are the latest files - RevTed:

    Logfile of HijackThis v1.99.0
    Scan saved at 8:31:07 PM, on 12/18/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINNT\system32\khooker.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.mythnlynx.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.mythnlynx.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD

    Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50]

    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program

    Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O15 - Trusted IP range: (HKLM)
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

    http://software-dl.real.com/11f239b5ee46e54a1f17/netzip/RdxIE601.cab
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS

    Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: WebSeach Toolbar support NT service - Unknown -

    C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

    * DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    O^E says: "There were no files found :)"
    ________________________________________________

    1,154 items found: 1,154 files, 0 directories.
    Total of file sizes: 209,266,234 bytes 199.57 M

    Administrator Account = True
    End log


    Log for VX2.BetterInternet File Finder (ALL)

    Files Found---

    Additional Files---

    Keys Under Notify---
    AtiExtEvent
    crypt32chain
    cryptnet
    cscdll
    sclgntfy
    SensLogn
    wzcnotif


    Guardian Key--- is called:

    Guardian Key--- :

    User Agent String---
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O1 - Hosts: 69.20.16.183 ieautosearch

    O15 - Trusted IP range: (HKLM)

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11f239b...ip/RdxIE601.cab

    O23 - Service: WebSeach Toolbar support NT service - Unknown - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

    When you next reboot, run hijackthis and check for those 01 entries. If gone, you are clear :).

    Download, install and keep updated, Spywareblaster from www.javacoolsoftware.com to help keep your system clean.
  • RevTed
    edited December 2004
    It does seem that I am now all clear.

    I will definitely safeguard my computer a little more closely from now on.

    Thank you for all your time and assistance. It is greatly appreciated.

    Happy Holidays to you and the whole SWAT Team.
  • marty111
    edited December 2004
    to make sure my pc is clean of spyware i run ad-aware and spybot search and desroy and spy-subtract
    to make sure your free of spyware you need to run them atleast once a week
    also to remove some types of spyware you have to reboot into safemode (F8)
    i also use a program called hoster (allows you to check the host file and has a option to change host file back to microsofts original )

    i recomend you use all of the programs listed above to make sure your compleatly free of spyware
  • DexterDexter Vancouver, BC Canada
    edited December 2004
    At Short-Media, we are aware of Hoster, but don't usually recommend it for several reasons:

    - many users have custom HOSTS defined as a result of using various anti-spyware applicatons. Hoster would wipre those out, by simply restoring a blank HOSTS file. a much better method is to keep backup copy of your own HOSTS file under a different name in the same directory (C:\WINDOWS\system32\drivers\etc) Then if you have bad HOSTS added by spyware, you can just copy your backup over top of the HOSTS file

    - any HOSTS can also be managed quickly and easily using Hijack This, you can view them, and remove any bad HOSTS right in the Scan window, and using the advanced tools (Under Config -> Misc Tools) you can open a HOSTS file manager and remove entried there as well.

    - You can also make your HOSTS file READ ONLY to help prevent spyware from altering it. This is not foolproof, as spyware can change the permission back and then alter it anyway, but it is helpful in some instances.

    Dexter...
This discussion has been closed.