Post by: funkandjazz on April 06, 2005, 03:16:02 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:10:17 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mszx23.exe
C:\Program Files\IrfanView\I_VIEW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
Please advise! What do I do now? Thanks very much.
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Post by: guestolo on April 06, 2005, 07:18:01 PM
What have you fixed on your own
Please go into Hijackthis>>Open the View a list of Backups and Restore all backups
Post back with a fresh hijackthis log afterwards
Post by: funkandjazz on April 06, 2005, 07:33:09 PM
prior to finding this forum and seeking your help, i got advice from Microsoft tech support and also Hewlett Packard tech support. they advised me to run all my spyware/adware removal software and to run all my virus removal software. i did all this and much was removed. however, as i indicated, the smartsecurity screen still dominates my desktop and i have no right-click functionality on my desktop.
it was only at this point that i discovered this forum and i am doing my best to follow your instructions.
there are no backups listed in my HJT software, sorry.
i'm doing the best i can. please advise! here is my latest scan:
Logfile of HijackThis v1.99.1
Scan saved at 5:30:54 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mszx23.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
Post by: guestolo on April 06, 2005, 08:11:50 PM
Can you first create a fresh Restore point for me
Go to START>>All programs>>Accessories>>System Tools>>System Restore
Create a new Restore point
Name it and click Create
Something to fall back on and we don't want to undo any changes that you have done so far
=====Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
After you have done that
I need you too download and SAVE the following zip file and UNZIP it to a folder of your choice
So you will have fixdesktop.reg extracted in the folder
[attachment=119:attachment]
Ensure you unzip it, but don't run it yet
===Next: You show signs of Haxdoor infection
Download and UNZIP to a folder
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
HSFix directory will be created
We'll need this later
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Please Print this out or save these instructions to a Notepad file in a folder of choice, so you can refer to this if needed
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\") <--This is important
Double click on Fixdesktop.reg and allow to merge to the registry
Stay in Safe mode
Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't restart the computer or log off yet
===Navigate to the HSFix directory>>Open the folder, ensure you unzipped this
and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later
Restart back to Normal mode
Do a fresh scan with Hijackthis and post the log and post the log from HSFix.bat>>C:\hslog.txt.
Post by: Guest on April 06, 2005, 11:50:57 PM
The nightmare red/black smartsecurity screen is gone and my righ-click functionality is back. Yay!
The only bad news is that a whole bunch of what was previously on my desktop is no longer there, and many of those files were of value to me:photos, documents, etc. what do you advise in terms of finding these missing items? is it possible they're gone for good?
anyway, here's the HJT log now:
Logfile of HijackThis v1.99.1
Scan saved at 9:47:15 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\mszx23.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
here's the hslog.txt:
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
drct16.dll
mszx23.exe
w32tm.exe
-
4. Deleting files that were found.
-
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-
what do you suggest next? is there any way i can recover my previous full desktop?
thanks again!!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: funkandjazz on April 06, 2005, 11:52:31 PM
Post by: guestolo on April 07, 2005, 12:22:58 AM
First go back and restore your computer to the last system restore point you made previously before this fix
I realize you may get the redblack screen again and the right click disability, but we'll fix that again
After the restart of the computer, we'll be back where we started, but I want to get rid of another infection first
Not to worry
Back in Windows, ensure you still have HSfix unzipped
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it RKFiles
Download and UNZIP to that folder Rkfiles.zip>>Ensure you unzip this
[attachment=121:attachment]
Once that's done
Print the rest of this out or save too a notepad file
Restart into safe mode <--important
Make sure windows is set to show Hidden files and folders
Find and delete these files if found
C:\WINDOWS\System32\mszx23.exe <-file
C:\WINDOWS\SYSTEM32\drct16.dll <-file
Stay in safe mode
Open Hijackthis>>Open Misc tools section>>Open Process manager
Left click to Highlight and then kill this process if still running
C:\WINDOWS\System32\mszx23.exe
Do another scan with Hijackthis and put a check next to these entries that exist
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run HSfix.bat again
Next Navigate to where you unzipped Rkfiles.zip
Run Rkfiles.bat
Wait for the log to produce, by default it will be save too C:\log.txt
Restart back to Normal mode
Post back a fresh hijackthis log
The log again from HSFix.bat>>C:\hslog.txt
The log from Rkfiles.bat>>C:\log.txt
Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
Name the file as Export.bat
Code: [Select]
@echo off
regedit /e C:\temp.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
more C:\temp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\temp.reg
del /q C:\Display.txtDouble click Export.bat and copy and paste back the findings
EDIT>>The attachment didn't go through at first for Rkfiles.zip, I hope you see it now
Post by: guestolo on April 07, 2005, 12:34:47 AM
if you do a search for them?
Right click on them and send to desktop(Create shortcut)?
Post by: funkandjazz on April 07, 2005, 12:42:38 AM
thanks!
p.s. as to the question you just asked, i did a search immediately for the most critical items (photos) that were in folders on my desktop, and i think i've found them. and yes, many of the missing desktop items were shortcuts (not so worried about that, can easily create them again). other missing items are files and folders. haven't yet searched for them all.
Post by: guestolo on April 07, 2005, 12:54:58 AM
I definitely don't want you to restore before we started any fixes
That's okay
Let me know If you can put a shortcut icon on the desktop now and if it sticks
But your log is still not clean
Can you carry on with the rest of the instructions with HSFix again
and Rkfiles
and running Hijackthis in safe mode
2 different infections all together
Can you also, before you restart into safe mode, do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Remember, I need you to do this and running those fixes again in safe mode
Post by: funkandjazz on April 07, 2005, 04:20:04 AM
Post by: funkandjazz on April 07, 2005, 02:36:14 PM
Due to my own irrational fears, I did not restore to the last system restore point.
I did this:
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Then I restarted in safe mode.
Then I located, but was UNable to delete these files:
C:\WINDOWS\System32\mszx23.exe <-file
C:\WINDOWS\SYSTEM32\drct16.dll <-file
I got a message that the files were being used by another process and therefore could NOT be deleted.
I was unsure exactly what to do at this point, but I elected to proceed with the rest of your instructions.
So, I did this:
Stay in safe mode
Open Hijackthis>>Open Misc tools section>>Open Process manager
Left click to Highlight and then kill this process if still running
C:\WINDOWS\System32\mszx23.exe
BUT-- that process did not show up at all in the list. I was therefore unable to kill it or do anything else with it.
So I proceeded to this:
Do another scan with Hijackthis and put a check next to these entries that exist
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
That all went fine.
I did all this:
Run HSfix.bat again
Next Navigate to where you unzipped Rkfiles.zip
Run Rkfiles.bat
Wait for the log to produce, by default it will be save too C:\log.txt
Restart back to Normal mode.
No problems there.
Here's the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:22:30 PM, on 4/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
Here's the new hslog.txt:
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
drct16.dll
mszx23.exe
-
4. Deleting files that were found.
-
unable to remove ps.a3d
unable to remove drct16.dll
unable to remove mszx23.exe
-
5. Checking for and Removing Winupdate
-
-
-
Here's the log from RKfiles.bat:
C:\RKFiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cpuinf32.dll: UPX!
C:\WINDOWS\system32\DefragH.exe: UPX!
C:\WINDOWS\system32\devil.dll: UPX!
C:\WINDOWS\system32\ilu.dll: UPX!
C:\WINDOWS\system32\ilut.dll: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: >UPX!t
C:\WINDOWS\system32\kl_upx.exe: t[hUPX!
C:\WINDOWS\system32\kl_upx.exe: MThUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!t
C:\WINDOWS\system32\kl_upx.exe: hUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: JMPOUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\patin.cpl: UPX!
C:\WINDOWS\system32\rmme3260.dll: +F!f:G!fSG!fmG!f
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\uscscsi.dll: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
Where do we stand now?
Thanks again.
Post by: guestolo on April 08, 2005, 01:54:28 AM
You must be in safe mode and disconnected from the Internet
Run HSFIx.bat again
Run Rkfiles.bat again<<You must be in safe mode
Restart back to normal mode and post a fresh hijackthis log
the log from hsfix.bat and the log from rkfiles.bat
Post by: funkandjazz on April 08, 2005, 10:58:24 AM
Now, I followed your most recent instructions. I shut off my DSL modem, restarted in safe mode, and ran HSFix.bat and RKfiles.bat.
Here are the latest logs:
Logfile of HijackThis v1.99.1
Scan saved at 8:53:40 AM, on 4/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
drct16.dll
mszx23.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
C:\RKFiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cpuinf32.dll: UPX!
C:\WINDOWS\system32\DefragH.exe: UPX!
C:\WINDOWS\system32\devil.dll: UPX!
C:\WINDOWS\system32\ilu.dll: UPX!
C:\WINDOWS\system32\ilut.dll: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: >UPX!t
C:\WINDOWS\system32\kl_upx.exe: t[hUPX!
C:\WINDOWS\system32\kl_upx.exe: MThUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!t
C:\WINDOWS\system32\kl_upx.exe: hUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: JMPOUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\patin.cpl: UPX!
C:\WINDOWS\system32\rmme3260.dll: +F!f:G!fSG!fmG!f
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\uscscsi.dll: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
How are we doing?
Thanks!
Post by: guestolo on April 08, 2005, 03:25:30 PM
The next suggestion I have
I see no anti-Virus software running on your computer
Could you do the following please
If you have your own AV software, install it now, make sure it's fully updated and run a full system scan
If you don't have your own and need a free solution
I highly recommend that you download and install AVG free
from the link below
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down and click on
AVG Free Edition installation files
File Version
avg70free_308a468.exe <-this link or similiar
Save the installer to desktop, double click to install and follow the prompts
Restart the computer if prompted
After installation, ensure you Check for updates>>> run a Full system scan, let it fix what it finds
Restart into safe mode afterwards and run RkFiles.bat again
restart back to Normal mode and post back one more Hijackthis log and the log from RKFiles.bat again
Let's see if AVG finds and cleans some of those files for you
Post by: funkandjazz on April 09, 2005, 01:01:18 AM
This is why my av software isn't showing up! I haven't been loading my normal startup items, including av software. ugh!
what do you suggest? is there any danger in now reverting to "normal startup"?
is this also the reason my HJT logs are so small?
i did download and run AVG software, did a full scan, and no viruses or other infections were detected.
i now realize the above msconfig information may have been crucial to your diagnosis of my situation. my apologies. i'd forgotten all about it.
please advise! and thanks again.
Post by: guestolo on April 09, 2005, 01:08:43 AM
I didn't realize you had Panda's installed, you don't want to run 2 Anti-Virus software
if you could go to Msconfig and do a Normal startup
Don't restart when prompted, instead
Shut down AVG and uninstall it
Restart your computer
Back in Windows, ensure Panda is right up to date
Restart into safe mode
Run a full system scan>>let Panda's fix whatever it finds
Restart your computer after running the scan back into safe mode and run rkfiles.bat
Wait for the log
Restart back to Normal mode
and post the log from Rkfiles and a new Hijackthis log
Post by: funkandjazz on April 09, 2005, 10:44:37 AM
then: trouble!
my computer got stuck on the first blue screen that says "HP Invent" and i could not get past that screen. none of the F keys had any effect. so, after much frustration, i called HP tech support and they suggested that i might have a buildup of static electricity. they advised me to disconnect all the cables from my computer, then hold down the on/off button for 30 seconds or so, then restart. amazingly, it worked! whew!
i was then able to boot up into safe mode, start Panda and run a full system scan. Panda found no infections.
i then ran RKfiles.bat, restarted into normal mode, ran HJT, and here we are:
C:\RKFiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\cpuinf32.dll: UPX!
C:\WINDOWS\system32\DefragH.exe: UPX!
C:\WINDOWS\system32\devil.dll: UPX!
C:\WINDOWS\system32\ilu.dll: UPX!
C:\WINDOWS\system32\ilut.dll: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: >UPX!t
C:\WINDOWS\system32\kl_upx.exe: t[hUPX!
C:\WINDOWS\system32\kl_upx.exe: MThUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: hUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!t
C:\WINDOWS\system32\kl_upx.exe: hUPX!PQ
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: JMUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: UPX!u
C:\WINDOWS\system32\kl_upx.exe: JMPOUPX!
C:\WINDOWS\system32\kl_upx.exe: JMPDUPX!
C:\WINDOWS\system32\patin.cpl: UPX!
C:\WINDOWS\system32\rmme3260.dll: +F!f:G!fSG!fmG!f
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\uscscsi.dll: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye
Logfile of HijackThis v1.99.1
Scan saved at 8:33:18 AM, on 4/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
What now?? Thanks again!
Post by: guestolo on April 09, 2005, 11:09:42 AM
Some of the files are legit from from RKFiles, but a few are probably nasties
Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\system32\kl_upx.exe <--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
Can you scan these files too
C:\WINDOWS\uscscsi.dll
C:\WINDOWS\system32\cpuinf32.dll
C:\WINDOWS\system32\DefragH.exe
C:\WINDOWS\system32\devil.dll
C:\WINDOWS\system32\ilu.dll
C:\WINDOWS\system32\patin.cpl
C:\WINDOWS\system32\rmme3260.dll <--this one may be related to Realplayer
If the scanner shows inconclusive, could you right click on the file, left click properties
Version tab>>find what it's related too
Do this for any file found inconclusive
Post by: funkandjazz on April 09, 2005, 06:27:20 PM
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
then:
Service load: 0% 100%
File: uscscsi.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
description: Universal control library
then:
Service load: 0% 100%
File: cpuinf32.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
This is an unknown application extension
then:
Service load: 0% 100%
File: DefragH.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
Application: DefragH
next:
Service load: 0% 100%
File: devil.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
Description: DevIL: A portable image library in development from Abysmal Software
next:
Service load: 0% 100%
File: ilu.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
Description: ILU: A portable image library in development, Abysmal Software
next:
Service load: 0% 100%
File: patin.cpl
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: UPX
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
Description: Access layer configuration tool for VSO softwares, VSO software
next:
Service load: 0% 100%
File: rmme3260.dll
Status: OK
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
how are we doing?
Post by: guestolo on April 10, 2005, 12:42:28 AM
Can you try something for me
Create a new folder on your desktop
Right click an empty spot
Select NEW>>FOLDER
Name it Backups
Do not copy and paste, but instead left click and drag these files into that Backup folder
from where they are now
C:\WINDOWS\system32\kl_upx.exe
C:\WINDOWS\uscscsi.dll
C:\WINDOWS\system32\cpuinf32.dll
C:\WINDOWS\system32\DefragH.exe
C:\WINDOWS\system32\devil.dll
C:\WINDOWS\system32\ilu.dll
C:\WINDOWS\system32\patin.cpl
Then do another scan with hijackthis and with all other windows closed fix checked this entry
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
Restart your computer
Let me know of any problems afterwards
Edit>>This one appears to be legit
C:\WINDOWS\system32\cpuinf32.dll
If you have already moved it from the system32 folder to the backup folder
You can move it back
All other files in the back up folder
Right click on them and left click properties
Version tab, if supplied, let me know what their related too
and date created