Skip to main content

Midnight Star

4.8K Posts

February 13th, 2005 14:00

mnachman,

Be sure to read this over before you begin, since we'll be using several programs in safe mode. You'll need to download and install them before beginning the fix.

-

Let's see what we can do...


If you haven't ran HouseCall lately, let's go back to www.trendmicro.com, download the latest definitions, and run it.


Reboot your computer into " Safe Mode"


Next, locate CWShredder that you downloaded earlier and run it, then:

1. Click " Check For Update"

( If an update isn't available, skip to step #4.)

2. Click " Click here to Download the upate".
3. When the new version has been downloaded, click " Save".

4. Click " Fix ->"


Locate About:Buster that you downloaded earlier and run it, then:

1. Click " Update".
2. Click " Check For Update"

( If no new version is available, skip to step #4.)

3. Click " Download Update", and wait for it to be installed.
4. Click " Start".

( Wait for the initial ADS scan to complete.)

5. Click "Yes", to shutdown any IE session currently open.

( Wait for the about:blank scan to complete.)

6. Click " Ok", to scan once more.
7. Click " Yes", to shutdown any IE sessions currently open.
8. Click " Yes", to begin the second pass.

9. Click " Save log", and post this log back along with your new log.
10. Click " Exit".
11. Click " Exit".


Reboot your computer normally.


Go to Add/Remove programs and remove(uninstall) the following, if present:

TIBS
Viewpoint Manager

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.


Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Then repost your log, either now, or after following the steps in the solution ( if provided in this post). This version has features that might help in 'cleaning' up your system.


Run HiJackThis then:

1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"

-

Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:

C:\WINDOWS\system32\sysea.exe
C:\WINDOWS\System32\tibs5.exe

Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.


Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u winqr.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.



Run HiJackThis and click " Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ncyut.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ncyut.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {AC744CBB-CAE9-45FF-286D-02D68E9FC988} - C:\WINDOWS\winqr.dll

O4 - HKLM\..\Run: [tibs5> C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [4E.tmp> C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\4E.tmp.exe 0 28129
O4 - Global Startup: Microsoft Windows.hta
O4 - Global Startup: TFTP3732

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\sysea.exe
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\system32\ncyut.dll
C:\WINDOWS\winqr.dll
C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\4E.tmp.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Post back a new log, and let me know how everything goes.

-

Mike.

mnachman

11 Posts

February 13th, 2005 17:00

Thanks.  I had to go back into safe mode to delete some files.

When I tried to install Housecall, explorer shut down 5 times in a row.  So I did the rest of the steps....

Under Hijack This, it would not let me remove:

04-Global Startup: TFTP3732

 

SpywareGuard is still popping up saying BHO's are trying to be changed.....

 

Here are the logs, thanks again...

Logfile of HijackThis v1.99.0
Scan saved at 2:27:33 PM, on 2/13/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xl.exe
C:\WINDOWS\system32\mm\msngr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\mfcvn.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ntet.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mfcvn.exe] C:\WINDOWS\system32\mfcvn.exe
O4 - HKLM\..\Run: [4E.tmp.exe] C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\4E.tmp.exe 3 28129
O4 - HKLM\..\RunOnce: [ntet.exe] C:\WINDOWS\ntet.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S1E.tmp"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: LimeWire 4.2.5.lnk = C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TFTP3732
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINDOWS\system32\mm\aysshell.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\System32\xl.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\sysea.exe (file missing)

Scanned at: 1:17:12 PM   on: 2/13/2005


-- Scan 1 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Removed! : C:\WINDOWS\hqwgk.dat
Removed! : C:\WINDOWS\System32\ppdbi.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 1:59:32 PM   on: 2/13/2005


-- Scan 1 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.11
Reference List : 11

Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

 

 


 

 

Midnight Star

4.8K Posts

February 13th, 2005 18:00

mnachman,

I think we might be able to fix them from "safe mode", but before we do that, let's see what Kaspersky has to say about these...


Go to www.kaspersky.com, then:

1.  Click "Online virus scanner"
2.  Click "Browse", then browse to, then doubleclick on the following file(s), one at a time:

    C:\WINDOWS\System32\xl.exe
    C:\WINDOWS\system32\mm\msngr.exe
    C:\WINDOWS\ntet.exe

3.  Click "Submit"
4.  Post back the results.

Mike.

 

mnachman

11 Posts

February 13th, 2005 18:00

Here are the results:
 
C:\WINDOWS\System32\xl.exe     this file is ok
 C:\WINDOWS\system32\mm\msngr.exe   this file exceeds the limits of the scan
C:\WINDOWS\ntet.exe   this file is infected "ntet.exe - infected by Backdoor.Win32.Small.dc"
 
 
Thanks.
 
Matt

Midnight Star

4.8K Posts

February 13th, 2005 21:00

Matt,

I don't know; I just don't like the looks of that file. Are you using MSN Messenger? If so, which version?

Mike.

mnachman

11 Posts

February 13th, 2005 21:00

I don't use msn messenger.   I have no problem deleting it if it is just the .exe for msn messenger.  I use AOL.  Should I delete the one with the virus and this one?   Thanks.

 

matt

Midnight Star

4.8K Posts

February 13th, 2005 22:00

Matt,
 
Ok, then let's delete these two programs:
 
C:\WINDOWS\system32\mm\msngr.exe 
C:\WINDOWS\ntet.exe
 
Also, check this folder:
 
C:\WINDOWS\system32\mm  
 
If nothing else is in it that you recognize, delete it also.
 
 
When your done, reboot your computer and post back a new HiJackThis log.
 
-
 
Mike.
 

mnachman

11 Posts

February 14th, 2005 00:00

I went into safe mode and deleted both files.  The mm folder had files that looked like windows files in it, so I didn't delete everything.  When I rebooted windows, it said it was looking for the ntet.exe file.  I am still getting alerts from SpywareGuard that BHO's are trying to be added after rebooting.  Thanks for your patience.  Here is the log...

  Logfile of HijackThis v1.99.0
Scan saved at 9:47:40 PM, on 2/13/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\mfcvn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\msdt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mfcvn.exe] C:\WINDOWS\system32\mfcvn.exe
O4 - HKLM\..\RunOnce: [msdt.exe] C:\WINDOWS\msdt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S1E.tmp"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: LimeWire 4.2.5.lnk = C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TFTP3732
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINDOWS\system32\mm\aysshell.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\System32\xl.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\sysea.exe (file missing)

 

Midnight Star

4.8K Posts

February 14th, 2005 21:00

Matt,
 
Your welcome. I'm still thinking there a few trojans that we haven't yet recognized. Just make sure you don't clear your your recycle bin, until we're completely done.
 

Next, Open a command prompt by:
 
1.  Clicking " Start", then " Run...".
2.  Enter " cmd" ( without the quotes).
3.  Enter " services.msc" ( without the quotes).
 
-
 
Now, locate and ' stop' the following services, if present:
 
Multimedia_Interface - Prism Microsystems, Inc. ... (C:\WINDOWS\system32\mm\aysshell.exe)
 
Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.
 

Run HiJackThis then:
 
1.  Click " Config..."
2.  Click " Misc Tools"
3.  Click " Open Process manager"
 
-
 
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
 
    C:\WINDOWS\system32\mfcvn.exe
    C:\WINDOWS\msdt.exe
 
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
 

Run HiJackThis and click " Scan", then check(tick) the following, if present:
 

R3 - Default URLSearchHook is missing
 
O4 - HKLM\..\Run: [mfcvn.exe> C:\WINDOWS\system32\mfcvn.exe
O4 - HKLM\..\RunOnce: [msdt.exe> C:\WINDOWS\msdt.exe
 
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINDOWS\system32\mm\aysshell.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\sysea.exe (file missing)
 

Now, with all windows closed except HiJackThis, click " Fix checked".
 

Go to www.windowssecurity.com, and then:
 
1. Click " Trojan Scan".
2. Click " Scan my computer for trojans!"
3  Click " Start scan"
 

Post back a new log, and let me know how everything goes.
 
-
 
Mike.
 

mnachman

11 Posts

February 15th, 2005 01:00

Everything went well.  Homepage is staying the same and no more notifications of BHO's.  Here is the newest log after doing everything....

 

Logfile of HijackThis v1.99.0
Scan saved at 9:50:32 PM, on 2/14/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S1E.tmp"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: LimeWire 4.2.5.lnk = C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TFTP3732
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\System32\xl.exe

Midnight Star

4.8K Posts

February 15th, 2005 13:00

Matt,
 
Good - glad to hear it! Now, let's move onto the next scan...
 

Download mwav.exe from MicroWorld, then:
1.  Double-click the mwav.exe icon to run it ( it'll self extract).
2.  Click " Scan".
3.  When it completes, post back the results from the 'Virus log information' pane.
 
 
Mike.
 

Message Edited by Midnight Star on 02-15-2005 09:48 AM

mnachman

11 Posts

February 16th, 2005 00:00

Here is the scan.....

File C:\WINDOWS\agvecz.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\appid.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\crcd32.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\d3xn.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\htpatch.exe.bak tagged as not-a-virus:Tool.Win32.HTPatch.a. No Action Taken.

File C:\WINDOWS\kodwdj.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\msdt.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\msopt.dll infected by "Trojan-Downloader.Win32.Small.kq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\njbhfy.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\nnbryl.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\ntjz32.exe infected by "Trojan-Downloader.Win32.Agent.ap" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\ntsk.exe infected by "Trojan-Downloader.Win32.Agent.al" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\n_srbaxn.log infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\n_yslcuk.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\n_zvwzhr.dat infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\oscvzl.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\rvitkz.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\sdkgf.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\sdkkz.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\sobrwh.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\tbnphe.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\wiiusl.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\yvvhyl.dat infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\appww.dll infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\atlag.dll infected by "Trojan-Downloader.Win32.Agent.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\atlic.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\mfcvn.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\msmv32.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\rxdif.dll infected by "not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\sdkjx.exe infected by "Trojan-Downloader.Win32.Agent.bq" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\System32\tkrdn.dll infected by "not-a-virus:AdWare.JS.OneMoreSearch.a" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\44.tmp infected by "Trojan-Downloader.Win32.Small.ahz" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\45.tmp infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\45.tmp.exe infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\4E.tmp infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.

File C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\YZERELQZ\deliver46860[1].htm infected by "Exploit.HTML.Mht" Virus. Action Taken: No Action Taken.

Midnight Star

4.8K Posts

February 22nd, 2005 18:00

mnachman,

Sorry for taking so long to get back with you.

-

I'll be able to better research those entries around thursday of this week, when they switch me back over to dsl. I only have so many minutes available on my temporary dialup account and i'm trying to get through the e-mail backlog the best I can. So hang in there.

While i'm doing that, can you post up a fresh HiJackThis log, so I can see if we're still in the 'green'.

Mike.

 

mnachman

11 Posts

February 23rd, 2005 20:00

Here is the latest log...
 
Logfile of HijackThis v1.99.0
Scan saved at 5:43:35 PM, on 2/23/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM95\aim.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S1E.tmp"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: LimeWire 4.2.5.lnk = C:\Program Files\LimeWire\LimeWire 4.2.5\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: TFTP3732
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: XtreamLok License Manager - Unknown - C:\WINDOWS\System32\xl.exe

Midnight Star

4.8K Posts

February 24th, 2005 13:00

mnachman,

Let's start off by deleting these files:

C:\DOCUME~1\MATTNA~1\LOCALS~1\Temp\44.tmp
C:\WINDOWS\agvecz.dat
C:\WINDOWS\appid.dll
C:\WINDOWS\crcd32.dll
C:\WINDOWS\d3xn.dll
C:\WINDOWS\kodwdj.dat
C:\WINDOWS\msopt.dll
C:\WINDOWS\n_srbaxn.log
C:\WINDOWS\n_yslcuk.dat
C:\WINDOWS\n_zvwzhr.dat
C:\WINDOWS\njbhfy.dat
C:\WINDOWS\nnbryl.dat
C:\WINDOWS\ntjz32.exe
C:\WINDOWS\ntsk.exe
C:\WINDOWS\oscvzl.dat
C:\WINDOWS\rvitkz.dat
C:\WINDOWS\sdkgf.dll
C:\WINDOWS\sdkkz.exe
C:\WINDOWS\sobrwh.dat
C:\WINDOWS\System32\appww.dll
C:\WINDOWS\System32\atlag.dll
C:\WINDOWS\System32\mfcvn.exe
C:\WINDOWS\System32\msmv32.exe
C:\WINDOWS\System32\sdkjx.exe
C:\WINDOWS\tbnphe.dat
C:\WINDOWS\wiiusl.dat
C:\WINDOWS\yvvhyl.dat

Next, do a "Start | Search" for the following:

*logonui*

...and delete anything that resembles that file from the 'prefetch' folder.

When we're done cleaning off your system, i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.


If you haven't ran HouseCall lately, let's go back to www.trendmicro.com, download the latest definitions, and run it.


Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution ( if provided in this post). This version has features that might help in 'cleaning' up your system.


Run HiJackThis then:

1.  Click "Config..."
2.  Click "Misc Tools"
3.  Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

   C:\WINDOWS\system32\logonui.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.


Run HiJackThis and click " Scan", then check(tick) the following, if present:


O4 - Global Startup: TFTP3732


Now, with all windows closed except HiJackThis, click "Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

   C:\WINDOWS\system32\logonui.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".


Post back a new MWAV log, and let me know how everything goes.

-

Mike.

 

Was this post helpful?

View All

No Events found!

Top