TheTechGuide Forum

General Category => Tech Clinic => Topic started by: smallclaimshammer on February 14, 2005, 01:14:58 AM

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 14, 2005, 01:14:58 AM

There are 12 startup programs that I have shutoff ..WinTool,Internet optimizer, tgcmdprovidersbc, etc....should all be enabled in msconfig before i scan ?  I ran Spybot, Ad-Aware SE, CWshredder, and only 4 of 20 items have been removed.  Each time their scan is interupted by EXPLORER has preformed Illegal operation, or Rundll32 illegal operation and system freezes up.  I ran Mwav.exe  and at 3.5 hours later and 13,400 files scanned it shut down ...error messages began to scrolll in top box at high rate.  Just before it's high speed error run, it was in WIN98 files, scanning,and  the count was 17 viruses (lost screen with details) and 41 errors.....  I stopped the program . Ctrl+Alt+delete showed Rundll32 program running . I need to do the Hjt log, but I'm worried about reenabling all the programs i have shut off.  Please give me your best advice , it will be greatly appreciated.

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 14, 2005, 01:45:57 AM

Hi again smallclaimshammer

Can you do this for me please
I'll assume I won't see the results from the MWav scan from eScan

If you could, maybe later we could look at those
We'll see if we need it

The best thing you could do is ensure that Spybot and Ad-Aware are fully updated
With Ad-Aware>>Click the
check for updates now link and Connect to download the latest updates
Don't run a scan yet

Spybot>>Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Don't run a scan yet

Restart your computer into
Safe mode (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")

Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to SAFE MODE to  finish the cleaning process

Back in safe mode
Open Spybot
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default
RESTART your computer back to Normal mode to finish the Cleaning process

When your back in Normal mode
Go back to MSCONFIG
Enable everything so that we don't miss anything
If it prompts you too Restart, don't at this time

I'll give you the instructions for Hijackthis
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder

Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log  here... Don't try and fix anything yet----It is all important

To copy and paste the whole log
Click EDIT>>Select All
Right click and choose COPY

Come back here and in your reply box back to me
Right click in the Reply box and choose Paste

Unfortunately I probably won't see your log until tomorrow
But we'll get you running clean again  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

If you don't have to shut down your computer, just leave it running
If  you were able to save any of the log from eScan, go ahead and post it
If not, don't worry about it

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 15, 2005, 05:44:21 AM

:java script:emoticon('/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />')
smilieD Hello, guestolo,  Thanks for the instructions and help on this post. I'll just summarize what I did breifly. The download of HijackThis went to Desktop, not the Hjt file I set up. The Firefox browser I am now using is set that way . I moved the file from DT to Hjt, with shortcut to Hjt on DT.  I did all updates to Spybot and Ad-Aware.  Ran Ad-Aware first, in Safe Mode.. during the scan ERROR Explorer Illegal , and Rundll32 Illegal boxes appeared, Ad-Aware was still running scan... I waited till it was through then closed the boxes, and did repair to all... It found: 27 entries.. 6CWS, 9 Alexa, 5 Hijacker, 1 Surfsidekick, 6 Redirect to69.20.16.183.  Quarantined all.  The Deleting selection box showed it had loaded all the way across..but stopped on screen at that point. No other prompt appeared.  I rebooted, safe mode, did Spybot  scan . It found  8 entries...6 CWS, 1 IGetNet, 1 common hijacker .  All were prechecked,except Common hijacker. I did repair ...Only three showed done. CWS bootconf, CWS loadbat, IGetNet.   I rebooted  to safe mode, rescanned Spybot, and only IGetNet, and Common hijacker appeared. I repaired both...error in Fix Problem : [Datei C:\Windows\HostsKann nicht geoffnetwerden  (not exact, maybe)  appeared.  I closed the error, and IGetNet was repaired.  Then rebooted to normal.  Went to msconfig, enabled all, did not reboot as prompted, ran HijackThis exactly as outlined. Saved log .     When i went to get on line...DSL was connecting, but Firefox browser would not connect,  the page looked different, but I tried all known connects, and settings....I had to reboot.      You wanted it left on and NO reboot.  I was just now able to get back on line...even with all programs started up.    Please see the attached Hjt log, let me know if I need to start over on this process....since it did not go as per your detailed instructions.           ...........Logfile of HijackThis v1.99.0
Scan saved at 3:02:47 AM, on 2/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguide.com/forum/index.php?showtopic=13518 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=13518\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} -  - (no file)
F1 - win.ini: run=HPFsched
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326\")

.....Thanks again, JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 15, 2005, 12:33:22 PM

Hello! guestolo    I did another eScan Mwav, all local drives, scan all files, and subs.   Done after HijackThis log was posted, no shutdown or reboot. It follows: e C:\WINDOWS\SYSTEM\AKLSP.DLL infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appsetup.exe infected by "Trojan-Downloader.Win32.Small.aco" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d8.exe infected by "Trojan-Downloader.Win32.Small.ahx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\aklsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\aklsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Desktop\PCRescueSetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Desktop\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\appsetup.exe infected by "Trojan-Downloader.Win32.Small.aco" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d8.exe infected by "Trojan-Downloader.Win32.Small.ahx" Virus. Action Taken: No Action Taken.
File C:\win98\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\win98\ols\csi\uskit.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\win98\ols\at&t\attkit.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\win98\ols\aol\aol40au.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\win98\ols\aol\aol40ca.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\win98\ols\aol\aol40uk.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\win98\ols\aol\aol40us.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\win98\cdsample\sampler.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\30.exe infected by "Trojan-Clicker.Win32.Agent.bf" Virus. Action Taken: No Action Taken.
File C:\NULL infected by "Trojan-Downloader.Win32.Wintool.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akcore.dll infected by "not-a-virus:AdWare.Coreak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akupd.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\akrules.dll infected by "Trojan-Downloader.Win32.Agent.bt" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\aklsp.dll infected by "Trojan-Downloader.Win32.Agent.br" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Desktop\PCRescueSetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Desktop\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\appsetup.exe infected by "Trojan-Downloader.Win32.Small.aco" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d8.exe infected by "Trojan-Downloader.Win32.Small.ahx" Virus. Action Taken: No Action Taken.
 Hope this helps, I appreciate your help.  JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 15, 2005, 06:23:24 PM

I just want to check on a couple things
Your Winsock layers have been Hijacked that's probably the first reason why you got booted offline

Can you open Spybot
Click Mode at the Top>>Advanced Mode>>Ok the prompt
Click Tools>>Uninstall Info

You should now see a list of programs
Can you right click an empty spot in the list and select EXPORT
In the "Save In" drop down bar at the top save it to DESKTOP
Then click the SAVE button
Close out Spybot

Can you open that new Spybot S&D Report.txt on the desktop and Copy and paste it back here, thanks

Could you also download LSPfix.zip from this link
http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
UNZIP the contents to your desktop
Open LSPfix.exe
Let me know what you see on the KEEP side, also let me know what you see on the REMOVE side, thanks

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 15, 2005, 09:12:14 PM

Hello again, Please see the Spybot uninstall report , Will run and post LSPfix after this.   (DXM_Runtime)

  (ICW)

  (IE40)

  (DirectDrawEx)

  (Fontcore)

  (IE5BAKEX)

  (SchedulingAgent)

  (IEData)

  (MSJavaVM)

  (MSTASK)

  (IE4Data)

  (ComicChat)

NetMeeting 3.0  (NetMeeting)

  (OutlookExpress)
   uninstall cmd: "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /UNINSTALL /PROMPT

  (AddressBook)
   uninstall cmd: "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /UNINSTALL /PROMPT

LiveUpdate  (LiveUpdate)
   uninstall cmd: C:\Program Files\Symantec\LiveUpdate\Uninst.exe -u

Rescue Disk  (Norton Rescue)

LiveAdvisor (Symantec Corporation) 1.0.0.579 (LiveAdvisor)
install location: C:\Program Files\Common Files\Symantec Shared\LiveAdvisor
   uninstall cmd: C:\Program Files\Common Files\Symantec Shared\LiveAdvisor\VCSETUP.EXE /REMOVE
       publisher: Symantec Corporation

Norton SystemWorks 2000  (Norton SystemWorks Uninstaller)
   uninstall cmd: C:\WINDOWS\NSUNINST.EXE

Microsoft Office 97, Professional Edition  (Office8.0)
   uninstall cmd: C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF

  (ShockwaveFlash)

WinZip  8.1  (4331) (WinZip)
 version (major): 8
 version (minor): 1
install location: C:\PROGRA~1\WINZIP\
   uninstall cmd: "C:\PROGRAM FILES\WINZIP\WINZIP32.EXE" /uninstall
       publisher: WinZip Computing, Inc.
       help link: http://www.winzip.com/xsupport.htm (http://\"http://www.winzip.com/xsupport.htm\")

  (128PATCH)

  (HTMLHelp)

  (Microsoft NetShow Player 2.0)

  (SBC Yahoo! Base Components)
   uninstall cmd: C:\PROGRA~1\YAHOO!\COMMON\UNYBASE.EXE

HP DeskJet 820C Series (Remove only)  (HP DeskJet 820C Series)
   uninstall cmd: C:\Program Files\HP DeskJet 820C Series\HPFiui.exe -dHPF -n09 -p820C -huninstall:820C

  (vgxupdate)

  (KB870669)

  (VGX)

Logitech Pocket Digital  ({83A881FC-79D3-4A66-A173-F38BEBA40866})
   uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\ENGINE\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83A881FC-79D3-4A66-A173-F38BEBA40866}\SETUP.EXE" -l0x9 UNINSTALL

MGI PhotoSuite 4 (Remove Only)  (MGI_PRISM_V4_0)
install location: C:\Program Files\MGI\MGI PhotoSuite 4
   uninstall cmd: "C:\Program Files\MGI\MGI PhotoSuite 4\System\MGIUninstall.exe" C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MGI\MGI PhotoSuite 4\Uninst.isu" -c"C:\Program Files\MGI\MGI PhotoSuite 4\System\CustomUninstall.dll"
       publisher: MGI Software Corp.

  (TopConverting)

  (MSWALLET)

Spybot - Search & Destroy 1.3 1.3 (Spybot - Search & Destroy_is1)
   uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
       publisher: Safer Networking Limited

EnterNet 300  (EnterNet 300)
   uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Efficient Networks\EnterNet 300\Uninst.isu" -c"C:\Program Files\Efficient Networks\EnterNet 300\NTSUninstall.dll"

SBC Yahoo! Applications  (SBC Yahoo! Applications)
   uninstall cmd: C:\Program Files\SBC Yahoo!\UninstallManager.exe

  (SBC Yahoo! UMUninstaller)
   uninstall cmd: "C:\Program Files\SBC Yahoo!\umuninst.exe" /S

Mozilla Firefox (1.0) 1.0 (en-US) (Mozilla Firefox (1.0))
install location: C:\Program Files\Mozilla Firefox
   uninstall cmd: C:\WINDOWS\UninstallFirefox.exe /ua "1.0 (en-US)"
       publisher: Mozilla

Mozilla Thunderbird (1.0) 1.0 (en) (Mozilla Thunderbird (1.0))
install location: C:\Program Files\Mozilla Thunderbird
   uninstall cmd: C:\WINDOWS\UninstallThunderbird.exe /ua "1.0 (en)"
       publisher: Mozilla

  (MPlayer2)

HijackThis 1.99.0 1.99.0 (HijackThis)
   uninstall cmd: C:\UNZIPPED\HIJACKTHIS\HijackThis.exe /uninstall
       publisher: Soeperman Enterprises Ltd.

J2SE Runtime Environment 5.0 Update 1 1.5.0.10 ({3248F0A8-6813-11D6-A77B-00B0D0150010})
         version: 17104896
 version (major): 1
 version (minor): 5
  estimated size: 252001
    install date: 20050207
  install source: C:\WINDOWS\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150010}\
   uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150010}
       publisher: Sun Microsystems, Inc.
         contact: http://java.com (http://\"http://java.com\")
       help link: http://java.com (http://\"http://java.com\")
          readme: C:\Program Files\Java\jre1.5.0_01\README.txt

Ad-Aware SE Personal  (Ad-Aware SE Personal)
   uninstall cmd: C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
       publisher: Lavasoft
       help link: http://www.lavasoft.de (http://\"http://www.lavasoft.de\")

Tweak-SE plug-in for Ad-Aware SE  (Tweak-SE plug-in for Ad-Aware SE)
   uninstall cmd: C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\TWEAKSE\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\TWEAKSE\INSTALL.LOG
       publisher: Lavasoft
       help link: http://www.lavasoft.de (http://\"http://www.lavasoft.de\")

Messenger-Control plug-in for Ad-Aware SE  (Messenger-Control plug-in for Ad-Aware SE)
   uninstall cmd: C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\MESSEN~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\MESSEN~1\INSTALL.LOG
       publisher: Lavasoft
       help link: http://www.lavasoft.de (http://\"http://www.lavasoft.de\")

FileSpecs plug-in for Ad-Aware SE  (FileSpecs plug-in for Ad-Aware SE)
   uninstall cmd: C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\FILESP~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\FILESP~1\INSTALL.LOG
       publisher: Lavasoft
       help link: http://www.lavasoft.de (http://\"http://www.lavasoft.de\")

LSP Explorer plug-in for Ad-Aware SE  (LSP Explorer plug-in for Ad-Aware SE)
   uninstall cmd: C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\LSPEXP~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\LSPEXP~1\INSTALL.LOG
       publisher: Lavasoft
       help link: http://www.lavasoft.de (http://\"http://www.lavasoft.de\")

VX2 Cleaner plug-in for Ad-Aware SE  (VX2 Cleaner plug-in for Ad-Aware SE)
   uninstall cmd: C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\VX2CLE~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\PLUGINS\VX2CLE~1\INSTALL.LOG
       publisher: Lavasoft
       help link: http://www.lavasoft.de (http://\"http://www.lavasoft.de\")

CleanUp!  (CleanUp!)
   uninstall cmd: C:\Program Files\CleanUp!\uninstall.exe

SpywareBlaster v3.2 3.2.0 (SpywareBlaster_is1)
   uninstall cmd: "C:\Program Files\SpywareBlaster\unins000.exe"
       publisher: Javacool Software LLC

MRU-Blaster v1.5 (Database 3/28/2004) 1.5 (MRU-Blaster_is1)
   uninstall cmd: "C:\Program Files\MRU-Blaster\unins000.exe"
       publisher: Javacool Software LLC

JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 15, 2005, 09:27:39 PM

Guestolo, The LSPfix showed listings in KEEP : rnr20.dll, AKLSP.DLL. mswsosp.dll,  rsvpsp.dll.     No listings in REMOVE.    JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 16, 2005, 07:02:19 PM

Hi again smallclaimshammer
I pm'ed you
If you added any more Anti-spyware tools or Security programs to your computer
Can you supply me with a fresh hijackthis log, thanks

If not can you carry on with these instructions

Whenever I see the Winsock layers hijacked I like to ensure that the user backups the registry

Let's do it manually
Go to START>>RUN>>type in regedit
Hit OK
In the Reg. Editor>>>Ensure "My Computer" is highlighted
Click "Registry" at the top
"Export Registry File"
In the new box>> Save in "MyDocuments"
File Name>>Give it a Name Backup  >>>Click SAVE
Let it finish saving and then Exit the Registry Editor

You may want to Print the rest of this out or Save it to a Notepad file on your desktop
for easy access

Disconnect completely from the Internet
Close down all Browser windows, including this one

Ensure that you unzipped LSP fix and your not running it from withing the Zip file
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of aklsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down about to see it, Finish is NOT the X button at the top

Restart the computer into safe mode

Find and delete these files if they exist, send them to the recycle bin for now
C:\WINDOWS\SYSTEM\aklsp.dll <--file
C:\WINDOWS\appsetup.exe <--file
C:\WINDOWS\d8.exe <--file
C:\WINDOWS\CXTPLS_LOADER.EXE <--file
C:\WINDOWS\SYSTEM\akcore.dl <--file
File C:\WINDOWS\SYSTEM\akupd.dll <--file
File C:\WINDOWS\SYSTEM\akrules.dll <--file
C:\30.exe <--file
C:\NULL

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - - (no file)

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC= CP.AMS /ShowLegalNote=nonbranded

After you have ticked the above entries, close All other open windows.
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis


Restart your computer back to Normal mode

Can you update your version of Hijackthis from my Signature below
Save it to a seperate folder from this version your using
Do another scan with the latest and post a fresh log, thanks

==============================================
Don't do this unless>>You have problems with loss of Connection issues
Restore the files we deleted from the recycle bin
Navigate to Backup.reg and double click on it and allow to merge to Registry
Restart your computer
==============================================
Could you also Navigate to the folder that Spybot is installed
C:\Program Files\Spybot - Search & Destroy
Open the folder, Right click on advcheck.dll
Select "Properties"
What is the Modified date of the file?

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 18, 2005, 02:03:18 AM

Hello, guestolo,      Hope you are doing well !   I ran regedit backup.   I ran Hijack This log  and saved it as Log 3, no repairs were done.  Did this to snapshot what was going on before I started on the newest list you gave me. Made sure all startups were enabled...shutdown.  To rerun ad-aware and Spybot  in Safe Mode. (My time on line ,since posting Hijack This ,had slowed toa crawl.}  Thought I'd just re-run what we had done before,and good thing...all  the CWS, IGETNET, Redirects, and common hijacker, were back.  When I went to do the shutdown to start.. it hung on windows shutting down.  Waited 15 minutes.. turned off computer to re start.  Let it load up normal...shutdown...rebooted to Safe Mode. Ran Ad-Aware, as it scanned , there appeared, error messages for Explorer, and Rundall32 illegal op. appeared, one behind the other. Cleared them, finished scan, repaired all. It showed Deleting Selection Bar as complete but would not go any further.  Shutdown  from there, rebooted OK , no hangup, back to SafeMode.  Ran Spybot, scan showed CWS in six items, IgetNet, Common Hijacker. Did repair....repair to only two showed, Cws Boot Conf,and Cws Load bat. Tried repair again..none repaired.   Shutdown...rebooted to Normal.  Ran Lspfix, removed aklsp.dll as told.  Results showed ...No Name space providers removed or renumbered.  7 Protocol provider ent. removed and 6 renumbered.    Restarted in Safe Mode.  Removed all you listed as next,  Except : CXTPLS_LOADER.EXE and akcore.dll.  No FILE found for either. Carefull search all areas, and typed right. None found.                   Stayed in Safe Mode...  Ran Hijack This.....Removed  as per your list : R3 URLSearchHook, and 04  HKLM LoadQM.   No listing for 04 HKLM [AutoLoaderAproposClient] was found.   Made sure all windows closed, FIXED those checked.      Restarted to NORMAL.    Created new file Hjt2 for Hijack This...new download....showed I had most recent updates when I tried to update....but it Replyed in the blink of a second.....I do not think I have it setup correctly to go out and get update... working from the Firefox browser.  Clicking on properties for Hjt2 shows modified date of 2-17-2005.    I did full scan ( with unchecked Negligible Risk) That post follows.   Logfile of HijackThis v1.99.1
Scan saved at 4:28:51 PM, on 2/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\MRU-BLASTER\SCHEDULER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\HJT\HIJACKTHIS.EXE
C:\HJT2\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguide.com/forum/index.php?showtopic=13518 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=13518\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326\")

           I did not have any problem reconnecting to the internet, after the changes you listed.   I looked for and found advcheck.dll in Spybot folder, properties showed date modified as 10-4-2004.     Going from START > RUN> Find: All Files.... Looking for   Spybot  ...I found many entries, 14 in all.  I could not copy and paste , to show you the list , that was in Find results.      I had uninstalled my old file for Spybot on 2-14-05 using Spybot uninstall utility.  Then downloaded Spybot....Then downloaded updates....If I did not open them correctly ...did I mess up getting the updates into the Spybot main program?   My Firefox browser was set to Download to its download box... and then open all programs to Desktop.  Do I need to reconfigure that part of Firefox? What settings do you suggest ? Any suggestions are really appreciated by those who don't know what they are doing....have you noticed that about me?   Your help is appreciated, JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 18, 2005, 02:08:44 AM

Don't run away, I'm going to get a couple other tools to help identify what you may have

Don't run Ad-Aware or Spybot again until we get you clean

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 18, 2005, 02:18:19 AM

I will be right here ...Thanks, JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 18, 2005, 02:25:52 AM

A few tools, all small downloads,

Download VX2 finder
http://downloads.subratam.org/VX2Finder9x(126).exe (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")

Open VX2 finder
Click the "Click to Find VX2.BetterInternet"
then click the make log button.
Post the log

Also Click HERE (http://\"http://forums.techguy.org/attachment.php?attachmentid=44794\") to download DLLCompare.zip.

Unzip it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, click on the Make a log of what was found button. When it asks to "View log file" click yes and the log will open in notepad. Save the log to copy and paste back here in your next reply

One last request
Please download FindIt.zip (http://\"http://www.bleepingcomputer.com/forums/index.php?act=Attach&type=post&id=40938\") file from the bottom of this post.

Unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.
I've even heard this running up to 15 minutes
Give it time, but not too much...


Please also open the c:\Windows folder and see if there's a file there called Guard.tmp visible and report that here if there is or isn't

Also post back a fresh hijackthis log
I won't see these logs until tomorrow, from the time you post the last log
Don't restart your computer again until we try some fixes
Do what you can from the above, post back what you can, thanks

By the way, I'm feeling much better, thank you

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 18, 2005, 02:44:17 AM

Ok, VX2 finder shows : Log for VX2.BetterInternet File Finder (ver126)

Files Found---


User Agent String---
{ECB727A0-7BBA-11D9-978A-0040058001F4}
    Going for Dll Compare.   JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 18, 2005, 03:02:04 AM

Ok, The DllCompare shows:*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mvci.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\chetcfg.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\muwdat10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\dmnhupnp.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\slell.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\wotdecod.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\qiut.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\ivign32.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mvmixmgr.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\iketres.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\ccetcfg.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\icetcfg.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\svncui.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\whn32s16.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\ssem0409.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\dsusic32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\ope2.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\wqng.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\iu41_qc.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\imstsch.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\ikloader.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\iwpeers.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\dhusic32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\acmui.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\eksmdb32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\bwowselc.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\wong.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mvg4dmod.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\atifil32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mqidntld.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\sksdetmg.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\hufc1609.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mjwsock.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\ivstrsa.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\arl70.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mawdat10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mfconf.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\iwfrared.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\jmsd400.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\ww2thk.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\exenu.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\wx32dll.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\lbcmgr10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\jjsh400.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\spsthunk.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\lprt.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\agycfilt.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\wtdmlog.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\aaupd.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
________________________________________________

837 items found:  837 files (49 H/S), 0 directories.
Total of file sizes:  165,681,147 bytes    158.00 M

--------------------End log---------------------

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 18, 2005, 03:20:50 AM

ok, guestolo,   the FIND.bat ran fine, and found:Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.

 ------- System Files in System Directory -------


 Volume in drive C is JTAYLOR    
 Volume Serial Number is 2A60-13E6
 Directory of C:\WINDOWS\SYSTEM

MVCI     DLL       222,568  02-02-05 11:37p MVCI.DLL
CHETCFG  DLL       222,568  02-02-05 11:37p CHETCFG.DLL
MUWDAT10 DLL       222,568  02-02-05 11:37p MUWDAT10.DLL
DMNHUPNP DLL       222,568  02-02-05 11:37p DMNHUPNP.DLL
SLELL    DLL       222,568  02-02-05 11:37p SLELL.DLL
WOTDECOD DLL       222,568  02-02-05 11:37p WOTDECOD.DLL
QIUT     DLL       222,568  02-02-05 11:37p QIUT.DLL
IVIGN32  DLL       222,568  02-02-05 11:37p IVIGN32.DLL
MVMIXMGR DLL       222,568  02-02-05 11:37p MVMIXMGR.DLL
IKETRES  DLL       222,568  02-02-05 11:37p IKETRES.DLL
CCETCFG  DLL       222,568  02-02-05 11:37p CCETCFG.DLL
ICETCFG  DLL       222,568  02-02-05 11:37p ICETCFG.DLL
SVNCUI   DLL       222,568  02-02-05 11:37p SVNCUI.DLL
WHN32S16 DLL       222,568  02-02-05 11:37p WHN32S16.DLL
SSEM0409 DLL       222,568  02-02-05 11:37p SSEM0409.DLL
DSUSIC32 DLL       222,568  02-02-05 11:37p DSUSIC32.DLL
OPE2     DLL       222,568  02-02-05 11:37p OPE2.DLL
WQNG     DLL       222,568  02-02-05 11:37p WQNG.DLL
IU41_QC  DLL       222,568  02-02-05 11:37p IU41_QC.dll
IMSTSCH  DLL       222,568  02-02-05 11:37p IMSTSCH.DLL
IKLOADER DLL       222,568  02-02-05 11:37p IKLOADER.DLL
IWPEERS  DLL       222,568  02-02-05 11:37p IWPEERS.DLL
DHUSIC32 DLL       222,568  02-02-05 11:37p DHUSIC32.DLL
ACMUI    DLL       222,568  02-02-05 11:37p ACMUI.DLL
EKSMDB32 DLL       222,568  02-02-05 11:37p EKSMDB32.DLL
BWOWSELC DLL       222,568  02-02-05 11:37p BWOWSELC.DLL
WONG     DLL       222,568  02-02-05 11:37p WONG.DLL
MVG4DMOD DLL       222,568  02-02-05 11:37p mvg4dmod.dll
ATIFIL32 DLL       222,568  02-02-05 11:37p ATIFIL32.DLL
MQIDNTLD DLL       222,568  02-02-05 11:37p MQIDNTLD.DLL
SKSDETMG DLL       222,568  02-02-05 11:37p SKSDETMG.DLL
HUFC1609 DLL       222,568  02-02-05 11:37p hufc1609.dll
MJWSOCK  DLL       222,568  02-02-05 11:37p MJWSOCK.DLL
IVSTRSA  DLL       222,568  02-02-05 11:37p IVSTRSA.DLL
ARL70    DLL       222,568  02-02-05 11:37p ARL70.DLL
MAWDAT10 DLL       222,568  02-02-05 11:37p MAWDAT10.DLL
MFCONF   DLL       222,568  02-02-05 11:37p MFCONF.DLL
IWFRARED DLL       222,568  02-02-05 11:37p IWFRARED.DLL
JMSD400  DLL       222,568  02-02-05 11:37p JMSD400.DLL
WW2THK   DLL       222,568  02-02-05 11:37p WW2THK.DLL
EXENU    DLL       222,568  02-02-05 11:37p exenu.dll
WX32DLL  DLL       222,568  02-02-05 11:37p WX32DLL.DLL
LBCMGR10 DLL       222,568  02-02-05 11:37p lbcmgr10.dll
JJSH400  DLL       222,568  02-02-05 11:37p JJSH400.DLL
SPSTHUNK DLL       222,568  02-02-05 11:37p SPSTHUNK.DLL
LPRT     DLL       222,568  02-02-05 11:37p LPRT.DLL
AGYCFILT DLL       222,568  02-02-05 11:37p AGYCFILT.DLL
WTDMLOG  DLL       222,568  02-02-05 11:37p wtdmlog.dll
AAUPD    DLL       222,568  02-02-05 11:37p aaupd.dll
        49 file(s)     10,905,832 bytes
         0 dir(s)        2,210.44 MB free

 ------- Hidden Files in System Directory -------


 Volume in drive C is JTAYLOR    
 Volume Serial Number is 2A60-13E6
 Directory of C:\WINDOWS\SYSTEM

FFASTLOG TXT        22,226  02-18-05 12:30a FFASTLOG.TXT
HPF82T09 GID         8,628  02-14-05  5:38p HPF82t09.GID
HPF82H09 GID         8,628  01-29-05  5:20a HPF82h09.GID
HPF82R09 GID         8,628  01-26-05 11:35p HPF82r09.GID
FOLDER   HTT        13,122  02-17-01  1:01p folder.htt
DESKTOP  INI           266  02-17-01  1:01p desktop.ini
         6 file(s)         61,498 bytes
         0 dir(s)        2,210.43 MB free

 ---------- Files Named "Guard" -------------


 Volume in drive C is JTAYLOR    
 Volume Serial Number is 2A60-13E6
 Directory of C:\WINDOWS\SYSTEM

                         2,210.43 MB free

 --------- Temp Files in System Directory --------


 Volume in drive C is JTAYLOR    
 Volume Serial Number is 2A60-13E6
 Directory of C:\WINDOWS\SYSTEM

                         2,210.43 MB free

 ---------------- User Agent ------------


 ------------ Keys Under Notify ------------


 ---------------- Xfind Results -----------------


 -------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM\
   mvci.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   chetcfg.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   muwdat10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   dmnhupnp.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   slell.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   wotdecod.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   qiut.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   ivign32.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   mvmixmgr.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   iketres.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   ccetcfg.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   icetcfg.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   svncui.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   whn32s16.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   ssem0409.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   ffastlog.txt   Fri Feb 18 2005  12:30:42a  A..H.         22,226    21.70 K
   dsusic32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   hpf82t09.gid   Mon Feb 14 2005   5:38:28p  A..H.          8,628     8.43 K
   hpf82h09.gid   Sat Jan 29 2005   5:20:08a  A..H.          8,628     8.43 K
   hpf82r09.gid   Wed Jan 26 2005  11:35:40p  A..H.          8,628     8.43 K
   ope2.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   wqng.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   iu41_qc.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   imstsch.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   ikloader.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   iwpeers.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   dhusic32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   acmui.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   eksmdb32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   bwowselc.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   wong.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   mvg4dmod.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   atifil32.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   mqidntld.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   sksdetmg.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   hufc1609.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   mjwsock.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   ivstrsa.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   arl70.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   mawdat10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   mfconf.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   iwfrared.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   jmsd400.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   ww2thk.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   exenu.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   wx32dll.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   lbcmgr10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   jjsh400.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   spsthunk.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   lprt.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   agycfilt.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   wtdmlog.dll    Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
   aaupd.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K

53 items found:  53 files, 0 directories.
   Total of file sizes:  10,953,942 bytes     10.45 M                                             Ok , Hope this helps....Hijack This to follow. JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 18, 2005, 03:48:41 AM

Ok , There were no files for Guard.tmp found.     The New HijackThis log follows: Logfile of HijackThis v1.99.1
Scan saved at 2:24:12 AM, on 2/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMENU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\MRU-BLASTER\SCHEDULER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\HJT2\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguide.com/forum/index.php?showtopic=13518 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=13518\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326\")

I will not browse the NET...or restart at all till I hear from you.   My SBC DSL connection is dropping out every 25 to 45 minutes...I don't know why.  As I type this , I hear the hard drive tick...and see the activity light flash on the DSL modem ....like something is trying to download or connect.  Is that possible?   Talk to you later , guestolo....Thanks,JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 18, 2005, 03:51:54 AM

OOPS,    Forgot to say I will turn off the modem after this post....not computer...to keep any unwanted bugss from phoning home. JRT

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 18, 2005, 12:08:59 PM

You have the newer VX2 infection
Let's try getting rid of this with a Command Prompt

Can you Print this out, Just copy and paste this too an empty Notepad file and then
Use the FILE>>Print selection

Restart the computer and use the F8 key as the computer is booting to bring you to the boot menu

Select "Command Prompt Only"
Hit Enter

You should now see
C:\>

At the prompt type in exactly as shown below in bold
Notice the space between (del and c)

del c:\windows\temp\*.*
Hit Enter
At the prompt to delete contents type Y and then hit Enter
Carry on with this command

del c:\windows\hosts (Hit Enter)

Now type in >> Notice space between (cd and c)
cd c:\windows\system
Hit Enter

You should be at a prompt that looks like the below
C:\WINDOWS\SYSTEM>

Enter these at the prompt
Notice the single space after (del) and Hit Enter after each
del mvci.dll
del chetcfg.dll
del muwdat10.dll
del dmnhupnp.dll
del slell.dll
del wotdecod.dll
del qiut.dll
del ivign32.dll
del mvmixmgr.dll
del iketres.dll
del ccetcfg.dll
del icetcfg.dll
del svncui.dll
del whn32s16.dll
del ssem0409.dll
del dsusic32.dll
del ope2.dll
del wqng.dll
del iu41_qc.dll
del imstsch.dll
del ikloader.dll
del iwpeers.dll
del dhusic32.dll
del acmui.dll
del eksmdb32.dll
del bwowselc.dll
del wong.dll
del mvg4dmod.dll
del atifil32.dll
del mqidntld.dll
del sksdetmg.dll
del hufc1609.dll
del mjwsock.dll
del ivstrsa.dll
del arl70.dll
del mawdat10.dll
del mfconf.dll
del iwfrared.dll
del jmsd400.dll
del ww2thk.dll
del exenu.dll
del wx32dll.dll
del lbcmgr10.dll
del jjsh400.dll
del spsthunk.dll
del lprt.dll
del agycfilt.dll
del wtdmlog.dll
del aaupd.dll

After you have Entered the last one
Hit (Ctrl+Alt+Del) on the keyboard to Restart the computer
Let it restart to Normal mode

Don't open a browser yet
Open VX2 finder and click to find VX2.betterinternet
Click the "User Agent$" button on the Right hand side if it's highlighted
Close VX2

Open Hijackthis 1.99.1
Open The Misc Tools Section
Open Hosts File Manager
You should get a prompt that no Hosts file is found, would you like to make one
Do so

Post back with a fresh hijackthis log afterwards
Run Findit.bat again and post the log
DLLCompare and post the log
Run VX2 finder again and post log

Hopefully we get it all this round  /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 19, 2005, 10:52:33 PM

guestolo,   I have a question about Typing the items to delete in BOLD.  I do not know how to do that when at the  Command Prompt.  Please explain....because   the first two.. temp and hosts deleted OK.   Next item , and all at C:WINDOWS\SYSTEM>   were typed as listed , but each time enter ...showed File Not Found.   I missed the bold, and it mattered...RIGHT???   Give me a shout  when you can....Thanks  JRT.     What kind of Dog is "Woof"?  Looks like a Golden Retiver.

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 20, 2005, 02:06:32 PM

Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice

Download Hoster by Toadbee (http://\"http://members.aol.com/toadbee/hoster.zip\")
Unzip it to it's own folder

Set Windows To Show Hidden Files
* Open My Computer.
    * Select the View menu and click Folder Options.
    * Select the View Tab.
    * In the Hidden files section select Show all files.
    * Click OK.

Please save this to a Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Do the same thing for explorer.exe
Your Desktop and Icons will disappear, don't let it worry you
OK it

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\mvci.dll

Press the button with a red circle and a white X
Click Yes to Delete on Reboot
When asked if you would like to Reboot Now, select No.

Do the same for all these:

C:\WINDOWS\SYSTEM\chetcfg.dll

C:\WINDOWS\SYSTEM\muwdat10.dll

C:\WINDOWS\SYSTEM\dmnhupnp.dll

C:\WINDOWS\SYSTEM\slell.dll

C:\WINDOWS\SYSTEM\wotdecod.dll

C:\WINDOWS\SYSTEM\qiut.dll

C:\WINDOWS\SYSTEM\ivign32.dll

C:\WINDOWS\SYSTEM\mvmixmgr.dll

C:\WINDOWS\SYSTEM\iketres.dll

C:\WINDOWS\SYSTEM\ccetcfg.dll

C:\WINDOWS\SYSTEM\icetcfg.dll

C:\WINDOWS\SYSTEM\svncui.dll

C:\WINDOWS\SYSTEM\whn32s16.dll

C:\WINDOWS\SYSTEM\ssem0409.dll

C:\WINDOWS\SYSTEM\dsusic32.dll

C:\WINDOWS\SYSTEM\ope2.dll

C:\WINDOWS\SYSTEM\wqng.dll

C:\WINDOWS\SYSTEM\iu41_qc.dll

C:\WINDOWS\SYSTEM\imstsch.dll

C:\WINDOWS\SYSTEM\ikloader.dll

C:\WINDOWS\SYSTEM\iwpeers.dll

C:\WINDOWS\SYSTEM\dhusic32.dll

C:\WINDOWS\SYSTEM\acmui.dll

C:\WINDOWS\SYSTEM\eksmdb32.dll

C:\WINDOWS\SYSTEM\bwowselc.dll

C:\WINDOWS\SYSTEM\wong.dll

C:\WINDOWS\SYSTEM\mvg4dmod.dll

C:\WINDOWS\SYSTEM\atifil32.dll

C:\WINDOWS\SYSTEM\mqidntld.dll

C:\WINDOWS\SYSTEM\sksdetmg.dll

C:\WINDOWS\SYSTEM\hufc1609.dll

C:\WINDOWS\SYSTEM\mjwsock.dll

C:\WINDOWS\SYSTEM\ivstrsa.dll

C:\WINDOWS\SYSTEM\arl70.dll

C:\WINDOWS\SYSTEM\mawdat10.dll

C:\WINDOWS\SYSTEM\mfconf.dll

C:\WINDOWS\SYSTEM\iwfrared.dll

C:\WINDOWS\SYSTEM\jmsd400.dll

C:\WINDOWS\SYSTEM\ww2thk.dll

C:\WINDOWS\SYSTEM\exenu.dll

C:\WINDOWS\SYSTEM\wx32dll.dll

C:\WINDOWS\SYSTEM\lbcmgr10.dll

C:\WINDOWS\SYSTEM\jjsh400.dll

C:\WINDOWS\SYSTEM\spsthunk.dll

C:\WINDOWS\SYSTEM\lprt.dll

C:\WINDOWS\SYSTEM\agycfilt.dll

C:\WINDOWS\SYSTEM\wtdmlog.dll


Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\SYSTEM\aaupd.dll

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!

When your back in Windows
Run VX2 Finder again and click the User Agent$ button

Open Hoster and "Restore Original hosts"

Run DLLCompare again and post the log
Run VX2 Finder again and post the log

Also post back with a fresh hijackthis log

By the way, that's not my dog, is just a general avatar
My 2 look quite different  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: Do I enable all start-up programs for Hjt scan?
Post by: smallclaimshammer on February 21, 2005, 09:56:35 PM

Hello, gestolo,    Ran Killbox and removed files as instructed.  The very last ones took extra time.. my system slowed to a crawl.  Could not get cursor to move easily....Last entry was entered and killbox did not ask about reboot, I closed after a time through Ctrl-Alt-Delete...shutdown.  Ran VX2, deleted ok the one file shown.   Then ran Hoster...restored Hosts...OK.   ran DLL compare....see log to follow.  Ran VX2 again...no files found.    See Hijack This log .   Standing by to kill whats left.  Please advise on best settings / setups for Firefox if you have time.  Thanks JRT. Logfile of HijackThis v1.99.1
Scan saved at 7:36:00 PM, on 2/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguide.com/forum/index.php?showtopic=13518 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=13518\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - 3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - (no file)
F1 - win.ini: run=C:\WINDOWS\HPFsched.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CRASHGUARD\CGMenu.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326\")

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mqc30.dll      Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\jvvart.dll     Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\wotdecod.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\qjap.dll       Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mqidntld.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
C:\WINDOWS\SYSTEM\mawdat10.dll   Wed Feb  2 2005  11:37:24p  ..S.R        222,568   217.35 K
________________________________________________

794 items found:  794 files (6 H/S), 0 directories.
Total of file sizes:  156,110,723 bytes    148.88 M

--------------------End log---------------------

Title: Do I enable all start-up programs for Hjt scan?
Post by: guestolo on February 21, 2005, 10:08:21 PM

Just helping someone with your same problem

Can you do this for me right now

Please copy and paste these instructions to an empty  Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Close down all other windows

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thetechguide.com/forum/index.php?showtopic=13518 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=13518\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")

R3 - URLSearchHook: (no name) - 3 - URLSearchHook: {FD0B1A83-4F7C-11D5-BD9C-000103C116D5} - (no file)

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
At the bottom right of the main screen, click on the down arrow to the left of the yellow triangle.
Select the following entry if running rundll32.exe
Now click the yellow triangle to End Task
There may be more than one running, end task on all of them

Again, in Killbox
At the main screen of Pocket Killbox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM\mqc30.dll

Press the button with a red circle and a white X
Click Yes to Delete on Reboot
IF asked if you would like to Reboot Now, select No.

Do the same for all these:

C:\WINDOWS\SYSTEM\jvvart.dll

C:\WINDOWS\SYSTEM\wotdecod.dll

C:\WINDOWS\SYSTEM\qjap.dll

C:\WINDOWS\SYSTEM\mqidntld.dll


Finally, in Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\SYSTEM\mawdat10.dll

Press the button with a red circle and a white X.
If asked to Reboot, select Yes!!

Allow the system to Restart or restart anyways

When your back in Windows

Open Hoster and Restore original hosts

Also post back with a fresh hijackthis log

Sorry JRT, I'll let you know Firefox settings I have later
after we get you clean

EDIT>>JRT, instead of running DLLCompare and VX2 Finder could you
When your back in Windows
Download Findit9xme.zip (http://\"http://www.thatcomputerguy.us/downloads/findit9xme.zip\")
Unzip the contents and open the Findit9xMe folder
Double click on Findit9xme.bat
Wait for the log and post it back