Jump to content


Photo
- - - - -

SOS!


  • This topic is locked This topic is locked
92 replies to this topic

#81 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 13 February 2005 - 03:11 PM

Did you try redownloading it?
Did you give it time to finish, even if it appears to freeze?

We almost have you clean I believe, but let the scans finish
Don't give it a great amount of time but make sure it's not doing anything at all

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#82 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 13 February 2005 - 04:08 PM

i did allow it a while.. i just redownloaded and will do it again

after it completes i will post all logs.... and in the mean time i will be keeping my fingers crossed,

being almost finished, that's awesome! almost a month later, but (slight exaggeration) still

#83 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 13 February 2005 - 07:18 PM

Logfile of HijackThis v1.99.0
Scan saved at 8:19:26 PM, on 2/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

#84 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 13 February 2005 - 07:39 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/asinst.dll]
".Owner"="{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}"
"{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/MediaTicketsInstaller.ocx]
".Owner"="{9EB320CE-BE1D-4304-A081-4B4665414BEF}"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.10/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.11/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.12/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.13/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.14/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.15/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.16/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.17/loader2.ocx]
".Owner"="{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
"{79849612-A98F-45B8-95E9-4D13C7B6B35C}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.5/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.6/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.7/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.8/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.9/v3.dll]
".Owner"="v3cab"
"v3cab"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx]
".Owner"="{9EB320CE-BE1D-4304-A081-4B4665414BEF}"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll]
".Owner"="Unknown Owner"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll]
".Owner"="Unknown Owner"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll]
".Owner"="Unknown Owner"
"{9EB320CE-BE1D-4304-A081-4B4665414BEF}"=""

#85 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 13 February 2005 - 07:40 PM

Scanned at: 5:13:53 PM on: 2/12/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

#86 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 13 February 2005 - 07:45 PM

find it nt just isnt' working...i've left it for an hour or so a few times today and it just won't open a log

is this one we can do it safe mode?

#87 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 13 February 2005 - 07:49 PM

i'm doing an updated mwav scan right now

i had to restart every time i tried to use finditnt,

is there a problem with that? u said that i had to run that again since i had to restart the one other time, so where does that leave us?

#88 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 14 February 2005 - 01:04 PM

File C:\WINDOWS\System32\306203.exe infected by "Trojan.Win32.Zapchast" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\!Submit\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\!Submit\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\!Submit\aim95.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\!Submit\arkanoid.exe infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.
File C:\!Submit\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\!Submit\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\!Submit\ewhtt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\!Submit\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\!Submit\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\!Submit\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\!Submit\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\!Submit\js[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\!Submit\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\!Submit\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\!Submit\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\!Submit\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\!Submit\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\!Submit\MYBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\!Submit\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\!Submit\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\!Submit\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\!Submit\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\!Submit\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\!Submit\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\!Submit\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\!Submit\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Application Data\Mozilla\Firefox\Profiles\s18mqwrz.default\Cache\35897D89d01 tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\HJT\backups\backup-20050207-220637-306.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-433.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-968.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-313.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-432.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-918.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-587.dll infected by "Trojan-Downloader.Win32.Agent.jm" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-783.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-145922-986.dll infected by "Trojan-Downloader.Win32.Agent.jm" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-174.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-354.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-922.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050209-004902-169.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\FLPIUOBA.NQF infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\RMAD2MAA.NQF infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP1\A0000004.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\system32\306203.exe infected by "Trojan.Win32.Zapchast" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.

#89 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 14 February 2005 - 01:05 PM

that's most everything besides the 2 command prompt text files that just won't work

#90 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 14 February 2005 - 03:21 PM

That Mwav scan from eScan's isn't as bad as it looks
But we have to get rid of the VX2 Infection and I believe a new trojan

Let's reenable some protection on your computer
Could you, right now....
I asked you to install SpywareBlaster earlier
Could you open the program and click the update button
And then check for updates
Let it download all updates and then Enable All protection

Once all protection is enabled it should read
Internet Explorer enabled
Restricted Sites enabled
Mozilla firefox enabled
Beside all of them it should read 0 items have protection disabled

Once that is done, SDHelper.dll may have been removed from an earlier infection
Part of Spybot 1.3
Could you download this Zip file
SDHelper13.zip
Save the Zip file to your desktop and Unzip it to the folder Spybot is installed too
The default location is C:\Program Files\Spybot - Search & Destroy folder
After you have that done
Open Spybot >>> Don't run a scan yet
Click the Immunize button>>>OK>>>Immunize at the top
Well your there could you put a tick in
"Enable Permanent blocking of bad addresses in Internet Explorer"

We're going to remove some entries from the registry
Could you download this tool please
Download Registrar Lite from here:
http://www.resplende...oad/reglite.exe
Install it, we'll need it shortly
Hold onto this tool, it's a great free registry editor

We'll try these small downloads to rid you of the VX2 infection
Could you also Download and save to Desktop DLLCompare

Double click to run it and click the Run Locate.com

Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
Click the Make a Log of what was found button
Post back this log please

Next: Download and Save to desktop
VX2 Finder.exe
Double click to run it
Click the "Click to Find VX2.BetterInternet"
Let it complete the scan>>Again, won't take long
Make a log and post it back

Just want to check on one thing
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Save this on your Desktop

regedit /e Notify.reg "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"


Double click on Export.bat
It will produce a new file on the desktop call Notify.reg
Right click on Notify.reg and choose EDIT>>copy and paste that back here too, thanks
Again, try not too Restart your computer
We'll try some final fixes

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#91 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 14 February 2005 - 04:51 PM

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\k644lg~1.dll Fri Feb 4 2005 1:45:12a ..S.R 229,736 224.35 K
________________________________________________

1,280 items found: 1,280 files (1 H/S), 0 directories.
Total of file sizes: 238,131,335 bytes 227.10 M

Administrator Account = True

--------------------End log---------------------

#92 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 14 February 2005 - 04:52 PM

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---


Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown

User Agent String---
{D2AD9633-36F1-4338-AA11-469CA091B890}

#93 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 14 February 2005 - 04:56 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
================================================

After Chat

EDITING to add in results
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

=====================================================

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

User Agent String---

===================================================

Locking this thread up, Boogie, I'll talk to you on chat if you need any further assistance,
Take care :D