Skip to main content

zbestwun2001

3 Apprentice

 • 

8.8K Posts

December 19th, 2004 15:00

You have a plethora or nasty things going on in there.
Between your 015, 01 entries and probobly more you do have problems for sure.
Hang tight and one of the HJT pros will be with you.

Now wonder you system is acting up.

Hang loose
Steve

Message Edited by zbestwun2001 on 12-19-2004 09:38 AM

Midnight Star

4.8K Posts

December 21st, 2004 16:00

meganu, 

Let's see if we can try and fix this; it might get a little complicated, so, if you have questions at any time, just post back.

First, let start off by looking where no-hijack has looked before:

1.  Downolad Dllcompare, and Killbox to your desktop.

2.  click "Run locate.com".

     When the scan is complete, you will see: Completed the scan, Click Compare to Continue

3. click "Compare".

    In a few minutes it be Completed


4. click "Make a Log of what was Found".

5. Post that back as a reply to this post.

Mike.

 

Midnight Star

4.8K Posts

December 22nd, 2004 23:00

meganu,

Now, let's download KillBox, unzip it to your desktop, then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\en82l1~1.dll, in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

C:\WINDOWS\SYSTEM32\enj8l1~1.dll
C:\WINDOWS\SYSTEM32\fp6s03~1.dll
C:\WINDOWS\SYSTEM32\i6nmlg~1.dll
C:\WINDOWS\SYSTEM32\irnml5~1.dll
C:\WINDOWS\SYSTEM32\ixmon.dll
C:\WINDOWS\SYSTEM32\jhpl400.dll
C:\WINDOWS\SYSTEM32\l8p2li~1.dll
C:\WINDOWS\SYSTEM32\modmo.dll
C:\WINDOWS\SYSTEM32\o0rola~1.dll
C:\WINDOWS\SYSTEM32\rkpcfgex.dll
C:\WINDOWS\SYSTEM32\u8ru0i~1.dll

C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.

Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.

Be sure not to reboot your computer while we're working on this, otherwise we'll have a whole new set of program(s) to check for - this thing has a habit of changing the above names on reboot ... :(

Mike.

 

meganu

19 Posts

December 22nd, 2004 23:00

Thanks for your help Mike! Here's the log:

 

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\en82l1~1.dll   Mon Dec 13 2004   4:43:36p  ..S.R        224,027   218.77 K
C:\WINDOWS\SYSTEM32\enj8l1~1.dll   Mon Dec 20 2004   9:13:58p  ..S.R        223,051   217.82 K
C:\WINDOWS\SYSTEM32\fp6s03~1.dll   Sat Dec 18 2004   6:57:28p  ..S.R        225,665   220.38 K
C:\WINDOWS\SYSTEM32\i6nmlg~1.dll   Sun Dec 19 2004  10:18:00a  ..S.R        226,058   220.76 K
C:\WINDOWS\SYSTEM32\irnml5~1.dll   Tue Dec 21 2004  11:27:48p  ..S.R        224,902   219.63 K
C:\WINDOWS\SYSTEM32\ixmon.dll      Sat Dec 11 2004  10:49:32a  ..S.R        224,027   218.77 K
C:\WINDOWS\SYSTEM32\jhpl400.dll    Wed Dec 15 2004   4:53:58p  ..S.R        223,888   218.64 K
C:\WINDOWS\SYSTEM32\l8p2li~1.dll   Sat Dec 18 2004   7:08:04p  ..S.R        226,180   220.88 K
C:\WINDOWS\SYSTEM32\modmo.dll      Sat Dec 18 2004   6:34:02p  ..S.R        224,902   219.63 K
C:\WINDOWS\SYSTEM32\o0rola~1.dll   Sun Dec 19 2004  12:00:16a  ..S.R        225,025   219.75 K
C:\WINDOWS\SYSTEM32\rkpcfgex.dll   Wed Dec 22 2004   5:15:24p  ..S.R        223,051   217.82 K
C:\WINDOWS\SYSTEM32\u8ru0i~1.dll   Wed Dec 15 2004   6:49:58p  ..S.R        223,888   218.64 K
________________________________________________

1,262 items found:  1,262 files (12 H/S), 0 directories.
Total of file sizes:  247,223,286 bytes    235.77 M

Administrator Account =  True

--------------------End log---------------------

 

meganu

19 Posts

December 23rd, 2004 23:00

Ok, here's the new log:

 

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\en24l1~1.dll   Wed Dec 22 2004  11:17:26p  ..S.R        223,051   217.82 K
C:\WINDOWS\SYSTEM32\i4jqle~1.dll   Thu Dec 23 2004   8:02:48p  ..S.R        224,902   219.63 K
________________________________________________
1,263 items found:  1,263 files (3 H/S), 0 directories.
Total of file sizes:  245,200,186 bytes    233.84 M
Administrator Account =  True
--------------------End log---------------------
 
 
Much shorter this time...that's good, right? Although, when I rebooted the computer, I got two errors:
 
One said, An exception occurred while trying to run ""C:\WINDOWS\System32\SZSSetup.dll",UMonitor"
 
The other one said, An application has generated an exception that could not be handled. Process id=0x7bc(1980), Thread id=0x274(628). Click OK to terminate application. Click cancel to debug the application.
 
I clicked cancel....but what do these errors mean?
 
Thanks!!
Megan

Midnight Star

4.8K Posts

December 23rd, 2004 23:00

Megan,
 
Yes it does! Your doing great!

We've only gotten to part of the problem, there's still some things running that we need to fix as well, and those can be generating that error. Once they're removed, those error messages should go away. This is one of the toughest problems to fix!

Let's take the next pass...

Now, let's run KillBox again, then:

-----

1.  check(tick) "Replace on reboot"

2.  enter C:\WINDOWS\SYSTEM32\en24l1~1.dll , in "Full Path of File to Delete".

3.  check(tick) "Use Dummy".

4.  click the red-x, just right of where you entered the file to delete.

5.  Confirm that you want to replace the 'bad' file with the 'dummy'.

6.  When prompted to "Reboot Now", select "No".

7. Now repease steps #1 - #6 for the following files:

C:\WINDOWS\SYSTEM32\i4jqle~1.dll

C:\Windows\System32\Guard.tmp

After entering the last file, when prompted to "Reboot Now", select "Yes".

-----

You can copy/paste these file name(s) to save on typing.

I'll see if we can get some of the log entry(s) cleaned up next, then we'll try running this program again to see if we've gotten everything.

Remember, don't reboot your computer until we're done.

Hang in there ... :)

Mike.

Midnight Star

4.8K Posts

December 24th, 2004 00:00

Megan,
 
Ok, let see what we can do now...
 
 
Reboot your computer into " Safe Mode".
 

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  PQ2.dll
 
It's ok, if these aren't found.
 

Now, let's run HiJackThis, then:
 
1.  click " Config..."
2.  click " Misc Tools"
3.  click " Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time:
 
     C:\Documents and Settings\Us\Application Data\eetu.exe
   
5.  when prompted to " Reboot Now", after selecting each file, select " No".
 

Run HiJackThis and click " Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
 
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
 
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
(If HiJackThis 'crashes' when trying to fix these entry(s), then omit them and try again.)
 
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Us\Local Settings\Temp\PQ2.dll
 
O3 - Toolbar: Adorons Easy Security - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - C:\Program Files\Enigma Software Group\Adorons Easy Security\ETB.dll (file missing)
 
O4 - HKLM\..\Run: c:\documents and settings\us\local settings\temp\N.exe
O4 - HKLM\..\Run: [qvTe] c:\documents and settings\us\local settings\temp\qvTe.exe
O4 - HKLM\..\Run: [L3CyjtTH] C:\documents and settings\us\local settings\temp\L3CyjtTH.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Us\Application Data\eetu.exe
O4 - HKCU\..\Run: [Fekn] C:\WINDOWS\System32\?hkdsk.exe
 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
 
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
 

Now, with all windows closed except HiJackThis, click " Fix checked".
 

Run "Disk Cleanup" and allow it to remove everything it finds; especially temporary folders.

Reboot your computer normally.

Run DLLCompare again, and post back the results along with a new log.

Mike.

 

 

meganu

19 Posts

December 24th, 2004 19:00

Mike,
Good news!!! Here's the DLLCompare Log:
 
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found :)"
________________________________________________
1,261 items found:  1,261 files, 0 directories.
Total of file sizes:  244,529,238 bytes    233.20 M
Administrator Account =  True
--------------------End log---------------------
 
But I still got one of the errors on startup, the one asking me to click ok to continue and cancel to debug.
 
Does this mean everything is all clear?? If so, how do I keep this from happening again? I have mcafee online virus scan (came with the computer) and spybot, ad-aware, AVG virus scan, and I can go to those websites (housecall and symantec) to run the scans they have. I'm also going to download firefox browser, which I've heard is a lot more secure than IE. Should I buy more virus protection, or spyware protection? Or will all this be enough? Don't want to go through this again!
 
Thanks!!
Megan

Midnight Star

4.8K Posts

December 24th, 2004 19:00

Megan,

Exceptional work! That definitely is great news!

Ok, let's see what we've got left, then we'll move on to that problem. Also on your other questions, let's take those one step at a time; don't buy anything yet. I'll keep this thread open as long as you need, so don't hesitate to ask every question you can possibly think of - trust me.

There's alot of things we can do, but let's start out by posting back a new hijackthis log and let me see what we have left to fix.

Mike.

 

Midnight Star

4.8K Posts

December 25th, 2004 01:00

Megan,
 
Ok, let's first take a pass with HiJackThis and see what we've got. If the entries come back, we'll need to run DLLCompare again and see make sure we're ok in that area.
 
Remember not to reboot your computer until we've gotten your system cleaned...
 
 
Let's see what these turn up now...
 
 
Go to www.trendmicro.com and click "Free Online Scan". When it's down, select all available drives, then click "Scan".
 
Run AdAware SE Personal and " perform a full system scan".
 
-
 
Download the VX2 Cleaner for AdAware SE and follow the instructions on that page.
 
-
 
Run Spybot S&D, then click " Check for Problems".
 
 
Now, let's download About:Buster and unzip it to your desktop. Be sure to check for updates before clicking "Start". If it finds anything, be sure to run it again, just to be sure.
 
 
Now, let's run HiJackThis, then:
 
1.  click " Config..."
2.  click " Misc Tools"
3.  click " Delete a file on reboot"
4.  browse to, then double-click on each of the file(s) below, one at a time:
 
    C:\Documents and Settings\Us\Application Data\eetu.exe
   C:\Program Files\Kontiki\bin\bh309190.dll
 
5.  when prompted to " Reboot Now", after selecting each file, select " No"
 
If some aren't present, just skip it and move onto the next.
 

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:
 
regsvr32  /u  bh309190.dll
 
It's ok, if these aren't found.
 

Run HiJackThis and click " Scan", then check(tick) the following, if present:
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
 
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
 
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Us\Application Data\eetu.exe
O4 - HKCU\..\Run: [Fekn] C:\WINDOWS\System32\?hkdsk.exe
 
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
 
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
 
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
 
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
 

Now, with all windows closed except HiJackThis, click " Fix checked".
 

Post back a new log.

Mike.

PS: Sorry Megan, I need to add an additional step.

 

Message Edited by Midnight Star on 12-24-2004 09:48 PM

meganu

19 Posts

December 25th, 2004 01:00

Mike,
 
Looks like some of the things we got rid of are back again.....
 
 
Logfile of HijackThis v1.99.0
Scan saved at 10:15:20 PM, on 12/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Us\Application Data\eetu.exe
C:\WINDOWS\System32\?hkdsk.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Us\Application Data\eetu.exe
O4 - HKCU\..\Run: [Fekn] C:\WINDOWS\System32\?hkdsk.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - (no file)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivillage.com/save/makeover.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/shared/McMySec/en-us/1,0,0,2/mcmysec.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
 
 
 
Hope you have a great holiday! I won't be home tomorrow so I'll check back on Sunday.
Thanks!
Megan

Midnight Star

4.8K Posts

December 25th, 2004 02:00

Megan,

Sorry, I got one step ahead of myself - it's getting close to Christmas day! Let's try this first, before running HiJackThis, to make sure that nothing else has returned.

Run DLLCompare again, and post back the results.

-

Remember not to reboot your system just yet.

Mike.

 

Midnight Star

4.8K Posts

December 27th, 2004 00:00

Megan,
 
Wow! That's some good new indeed! Pat yourself on the back! - Excellent work!
 
 
Ok, now we need to fix some of the damage that garbage did to your system and do one more thing:
 
 -

Run Killbox again, but this time just copy/paste the following names, one at a time, in the file name to delete field:

  •  C:\Windows\System32\Guard.tmp
  •  C:\RECYCLER\Desktop.ini

then click the red-x to delete these files.

Download and run VX2Finder, then: 

1.  Click "Restore Policy"

2. Click "User Agent$"

From a command line, run "regedit" then go to the following registry key:

  1.  HKEY_LOCAL_MACHINE
  2. SOFTWARE
  3. Microsoft
  4. Windows NT
  5. CurrentVersion
  6. Winlogon
  7. Notify

Look for an entry that says:

DLLName="c:\\windows..."

It's have a randomly named file where the "..." is. Post back the name of that file and close the registry editor, without changing any of the data.

Let me know when your done with that, and post back a new log - let's see if anything is left.

Mike.

 

meganu

19 Posts

December 27th, 2004 00:00

Mike,
 
Ok, I ran DLL Compare:
 
 
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found :)"
________________________________________________
1,266 items found:  1,266 files, 0 directories.
Total of file sizes:  245,755,062 bytes    234.37 M
Administrator Account =  True
--------------------End log---------------------
 
Then I did the free scan at trendmicro -- it didn't find anything.
I ran Ad-Aware and it found a few things. Here's the beginning of the log (summary info only - the whole thing is really long):
 

Ad-Aware SE Build 1.05
Logfile Created on:Sunday, December 26, 2004 7:49:55 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R23 16.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):6 total references
midADdle(TAC index:4):9 total references
Possible Browser Hijack attempt(TAC index:3):26 total references
Tracking Cookie(TAC index:3):36 total references
TX4.BrowserAd(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

12-26-2004 7:49:55 PM - Scan started. (Full System Scan)
 
I downloaded VX2 Cleaner and ran Ad-Aware again, it found MRUList this time
Then I ran Spybot, which found WebTrends live, CoolWWW Search.Googlems, and DSO Exploit.
Then I ran About:Buster but all it said was No Ads Found.
 
Unfortunately, the computer was rebooted over the weekend....I forgot to tell my husband to leave it on, and he turned the computer off while I was gone. Hopefully it hasn't created more problems...
 
I'm assuming I should run HiJackThis next, but I'll wait till I hear back from you.
 
Thanks and I hope you had a nice holiday!
Megan
 

meganu

19 Posts

December 28th, 2004 10:00

Woops, forgot I wanted to post the VX2 Finder log:

 

Log for VX2.BetterInternet File Finder (ALL)
 
Files Found---
Additional Files---
Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
ThemeManager
wlballoon



 

Guardian Key--- is called:


 

Guardian Key--- :


 

User Agent String---



 

Was this post helpful?

View All

No Events found!

Top