Author Topic: Pop ups + tray problem (Read 1330 times)

Plinti · « **on:** January 03, 2005, 03:51:29 PM »

Hi,

I've just found this forum while searching for help in Google.. I hope my questions won't bother you, but I can't figure how to fix my computer..

The pop ups won't stop appearing (in IE at any time, and in Mozilla when it is open), and I can't maximize IE, or it will place itself lower than the tray bar. Also, when I minimize any program, it will always be at the first position in the tools bar, never in its current location.

What can I do to solve this?.. I've tried AdAware, but it has not found anything wrong to fix.

The hijackthis log:

===========

Logfile of HijackThis v1.99.0
Scan saved at 16:33:16, on 3/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\eMule\emule.exe
C:\Arquivos de programas\Kazaa Lite\KazaaLite.kpp
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\IntDown\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wer-mit-wem.webhop.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Arquivos de programas\IEMenuExtension\tbextn.dll (file missing)
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://iframedollars.biz/dl/adv408/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/keycryp...pt/npkxsite.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

===============

Thanks in advance for your patience and help!

guestolo · « **Reply #1 on:** January 03, 2005, 04:45:47 PM »

You have a few different infections in your computer

Let's see what we can cleanup the first time

Can you download a few tools please, yours for free and hang onto

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version, or the Professional series
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet

Download and Install Spybot S&D 1.3
When Installing, please don't enable TEA TIMER, it's a great addon to Spybot but it can get in our way to do any manual fixes.. This can be enabled at a later time if you want it
After installation--Click the Update button on the left, in the window on the right click the
SEARCH FOR UPDATES button, Check and download all updates
Don't run a scan yet

Another great utility to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup
A small download, once it's installed
Don't run a scan yet

Download Hoster by Toadbee
Unzip it to it's own folder

Download DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
Save this to your desktop for now

You may want to print the rest of this out or save it to a Notepad file on the desktop, ensure that the above spyware removal tools are up to date

RESTART your Computer in SAFE MODE

Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back into Safe mode to finish the cleaning process

Open Spybot---Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX everything in RED---they should be checked by default

RESTART your computer to finish the Cleaning process

In safe mode
Do another scan with Hijackthis and put a check next to these entries:
Not all may be there, but check the below if they exist

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

If you didn't purposely set the next 2, fix them also
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wer-mit-wem.webhop.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home

Ensure to fix these ones if present
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Arquivos de programas\IEMenuExtension\tbextn.dll (file missing)

O4 - Startup: PowerReg Scheduler V3.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://iframedollars.biz/dl/adv408/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/keycryp...pt/npkxsite.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Right-click on DelDomains.inf and select: Install
This will remove all entries in the "Trusted Zone" and "Ranges"

Open Cleanup and click on the Cleanup button
Let it finish scanning, when it prompts you to log off and on
Don't, instead open up Hoster and click the "Restore Original Hosts"

Could you at this time restart back into Normal mode

To check for other infections

Download and save to desktop VX2 Finder (126)
Open VX2 Finder and press the "Click to Find VX2.BetterInternet
Press the "Make log"
Copy and paste the entire contents of the log back here

Can you Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

One last tool
Download Findit.zip

Unzip its contents to its own folder
Open the folder and double click on Find.bat (File with a gear symbol)
Ignore any File not found messages
It runs for a minute, and produces a log
Please copy and paste the log on your next response.

Also post back another fresh hijackthis log
Do as much as you can above, it seems like a bit of work, but all is needed to clean your machine

Plinti · « **Reply #2 on:** January 03, 2005, 10:22:14 PM »

First of all, thank you very much for your help and quick response.

Done everything as you've told me, except for:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home

Since it's my internet connection provider, I thought it would be better not to clean up this line.

So, the updated logs:

VX2 Finder
================

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
Controls Folder
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{72AB36EE-31E0-4CC6-976A-32AE6865C821}

==================

DLLCompare
==================

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\f6j2lg~1.dll Sat 1 Jan 2005 20:46:44 ..S.R 224.811 219,54 K
C:\WINDOWS\SYSTEM32\hr4s05~1.dll Sat 1 Jan 2005 21:21:18 ..S.R 225.214 219,93 K
C:\WINDOWS\SYSTEM32\hr8605~1.dll Sat 1 Jan 2005 20:58:46 ..S.R 224.958 219,68 K
C:\WINDOWS\SYSTEM32\lv6o09~1.dll Mon 3 Jan 2005 22:36:46 ..S.R 224.856 219,59 K
C:\WINDOWS\SYSTEM32\lv6s09~1.dll Mon 3 Jan 2005 22:28:30 ..S.R 223.717 218,47 K
________________________________________________

1.328 items found: 1.328 files (5 H/S), 0 directories.
Total of file sizes: 255.161.917 bytes 243,34 M

Administrator Account = True

--------------------End log---------------------

================

FindIt
================

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

03/01/2005 22:36 224.856 lv6o09j3e.dll
03/01/2005 22:28 223.717 lv6s09j7e.dll
01/01/2005 21:21 225.214 hr4s05h7e.dll
01/01/2005 20:58 224.958 hr8605lse.dll
01/01/2005 20:46 224.811 f6j2lg1o16.dll
22/11/2004 21:26 <DIR> dllcache
5 arquivo(s) 1.123.556 bytes
1 pasta(s) 5.760.028.672 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.760.024.576 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

03/01/2005 22:57 224.847 guard.tmp
1 arquivo(s) 224.847 bytes
0 pasta(s) 5.760.020.480 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

03/01/2005 22:57 224.847 guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 227.816 bytes
0 pasta(s) 5.760.020.480 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv6s09j7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\LV6O09~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
f6j2lg~1.dll Sat 1 Jan 2005 20:46:44 ..S.R 224.811 219,54 K
hr4s05~1.dll Sat 1 Jan 2005 21:21:18 ..S.R 225.214 219,93 K
hr8605~1.dll Sat 1 Jan 2005 20:58:46 ..S.R 224.958 219,68 K
lv6o09~1.dll Mon 3 Jan 2005 22:36:46 ..S.R 224.856 219,59 K
lv6s09~1.dll Mon 3 Jan 2005 22:28:30 ..S.R 223.717 218,47 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1.123.556 bytes 1,07 M

=======================

New hijackthis log
=======================
Logfile of HijackThis v1.99.0
Scan saved at 23:10:46, on 3/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\eMule\emule.exe
C:\Arquivos de programas\Kazaa Lite\KazaaLite.kpp
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

====================

Thanks again!

guestolo · « **Reply #3 on:** January 03, 2005, 11:00:37 PM »

1. Download the Pocket Killbox
2.Unzip the contents of KillBox.zip to a convenient location.
3.Double-click on KillBox.exe.
4.Click "Replace on Reboot" and check the "Use Dummy" box.
5.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\lv6o09j3e.dll

6.Click the "Delete File" button which looks like a stop sign.
7.Click "Yes" at the Replace on Reboot prompt.
8.Click "No" at the Pending Operations prompt.
# Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\lv6s09j7e.dll
C:\WINDOWS\System32\hr4s05h7e.dll
C:\WINDOWS\System32\hr8605lse.dll
C:\WINDOWS\System32\f6j2lg1o16.dll

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\Guard.tmp

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.

At this point, ensure that all Other windows are closed down, including this one but leave Killbox open
# Click "Yes" at the Pending Operations prompt to restart your computer.

Once back in windows

Can you download this version of Findit.zip
# Unzip the contents of finditnt2000xp.zip to a convenient location.
# Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
# A command prompt will open and it will search your computer for malicious files.
# Once it has finished a Notepad window will pop up with output.txt.
# Copy the entire contents of output.txt into your next post.

Along with a fresh hijackthis log

Once you post back, try not too restart your computer again until we have tried another fix or the nasty files will keep multiplying

Plinti · « **Reply #4 on:** January 04, 2005, 11:45:04 AM »

Thank you for your help!

So, here are the logs:

FindIT:
===================

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:26 56 hr8805lue.dll
04/01/2005 12:04 225.356 h00q0ad5ed0.dll
22/11/2004 21:26 <DIR> dllcache
2 arquivo(s) 225.412 bytes
1 pasta(s) 5.738.717.184 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.738.717.184 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:29 226.031 guard.tmp
1 arquivo(s) 226.031 bytes
0 pasta(s) 5.738.713.088 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:29 226.031 guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 229.000 bytes
0 pasta(s) 5.738.708.992 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h00q0ad5ed0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
h00q0a~1.dll Tue 4 Jan 2005 12:04:44 ..S.R 225.356 220,07 K
hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K

2 items found: 2 files, 0 directories.
Total of file sizes: 225.412 bytes 220,13 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

=

======================

Hijackthis
======================

Logfile of HijackThis v1.99.0
Scan saved at 12:39:40, on 4/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

==========================

Won't be rebooting the machine anymore, 'til next fixes.

Guest · « **Reply #5 on:** January 04, 2005, 12:48:37 PM »

Good work, we still have some more to do, could you open DLLCompare and generate another log from the instructions I gave before, thanks
Try not to reboot
Post back the results

guestolo · « **Reply #6 on:** January 04, 2005, 12:50:27 PM »

Sorry, forgot to login, the above was from me

Plinti · « **Reply #7 on:** January 04, 2005, 02:46:05 PM »

The DLLCompare log:
================

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\h00q0a~1.dll Tue 4 Jan 2005 12:04:44 ..S.R 225.356 220,07 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K
________________________________________________

1.329 items found: 1.329 files (2 H/S), 0 directories.
Total of file sizes: 254.265.636 bytes 242,48 M

Administrator Account = True

--------------------End log---------------------

===========

Thank you for your help!

guestolo · « **Reply #8 on:** January 04, 2005, 03:03:21 PM »

You may have a couple infections
Download and save to desktop this Removal Tool developed by Symantec
Don't run it yet

Second---Download and save to desktop The STANDALONE version of CWShredder
Don't run it yet

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Try this
Double-click on KillBox.exe.
2.Click "Replace on Reboot" and check the "Use Dummy" box.
3.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\h00q0ad5ed0.dll

4.Click the "Delete File" button which looks like a stop sign.
5.Click "Yes" at the Replace on Reboot prompt.
6.Click "No" at the Pending Operations prompt.
# Repeat steps 2-6 above for these files:

C:\WINDOWS\System32\Guard.tmp

Don't let it reboot yet

Instead
Double-click the FxAgentB removal tool by Symantec to run it.
The program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later.
If it prompts you to restart, do so

Double click on CWShredder and Click on the FIX button, let it fix all problems

RESTART your computer
Open Hoster and "Restore Original Hosts"

If Symantec's tool doesn't find anything we will strictly stay with Find.bat

On Restart
Run another scan with Find.bat and post the output.txt
Also include a new log with DLLCompare and another Hijackthis log

Plinti · « **Reply #9 on:** January 04, 2005, 05:05:51 PM »

Done everything as you asked, except for CWShredder. It crashes everytime I execute it..

So, new logs:

Symantec:
============
Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

C:\Games\RagOnline\data\palette\??: (not scanned)
C:\Games\RagOnline\data\palette\?: (not scanned)
C:\System Volume Information: (not scanned)
Backdoor.Agent.B has not been found on your computer.
============

FindIt:
============
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:26 56 hr8805lue.dll
22/11/2004 21:26 <DIR> dllcache
1 arquivo(s) 56 bytes
1 pasta(s) 5.704.515.584 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.704.515.584 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 17:17 56 Guard.tmp
1 arquivo(s) 56 bytes
0 pasta(s) 5.704.511.488 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 17:17 56 Guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 3.025 bytes
0 pasta(s) 5.704.507.392 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8805lue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56 bytes 0,05 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

============

DLLCompare:
============
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K
________________________________________________

1.329 items found: 1.329 files (1 H/S), 0 directories.
Total of file sizes: 254.040.336 bytes 242,27 M

Administrator Account = True

--------------------End log---------------------

============

Hijackthis:
============
Logfile of HijackThis v1.99.0
Scan saved at 18:00:53, on 4/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\eMule\emule.exe
C:\Arquivos de programas\Kazaa Lite\KazaaLite.kpp
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

============

Thank you for all your patience and help!

guestolo · « **Reply #10 on:** January 04, 2005, 05:10:18 PM »

Hold tight, I'll post back right away

Can you save this to a notepad file on desktop for easy access and then Disconnect completely from the Internet

Do another scan with Hijackthis and put a check next to these entries:

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

After you have ticked the above entries, close All other open windows, including this one

Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double-click on KillBox.exe.
1.Click Tools>>Delete Temp files
2.Click "Replace on Reboot" and check the "Use Dummy" box.
3.Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\hr8805lue.dll

4.Click the "Delete File" button which looks like a stop sign.
5.Click "Yes" at the Replace on Reboot prompt.
6.Click "No" at the Pending Operations prompt.
# Repeat steps 2-5 above for this file:
At step 6 click yes for this full path

C:\WINDOWS\System32\Guard.tmp

Let it Restart your computer

Back in Windows Open Hoster again and Restore Original Hosts

Post back a fresh Hijackthis log and Find.bat output.txt log
Hopefully all we'll have left after is some final cleanup
Just got to keep hitting this thing until it's all gone

Plinti · « **Reply #11 on:** January 05, 2005, 12:20:29 AM »

New logs are on the way!

output.txt:
============
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
0 arquivo(s) 0 bytes
1 pasta(s) 5.677.359.104 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.677.359.104 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

05/01/2005 01:01 56 Guard.tmp
1 arquivo(s) 56 bytes
0 pasta(s) 5.677.355.008 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

05/01/2005 01:01 56 Guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 3.025 bytes
0 pasta(s) 5.677.350.912 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8805lue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

============

Hijackthis:
============
Logfile of HijackThis v1.99.0
Scan saved at 01:08:00, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

============

Thanks in advance!

guestolo · « **Reply #12 on:** January 05, 2005, 12:35:23 AM »

Let's try some final cleanup
I still see Guards.tmp hasn't disappeared yet

Let's hope you don't get reinfected

Try this

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Click File>>Save as
IMPORTANT>>Change the Save as Type to All Files.
Name the file as fixVX2.reg

Save this file on the desktop

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]

Double click on fixVX2.reg and allow it to merge to the registry

# Double-click on KillBox.exe.
# In the File menu click "Delete all Dummy files".
# In the Tools menu click "Delete Temp Files".
# Choose "Standard File Kill" if not already selected.
# Paste these files one by one into the top "Full Path of File to Delete" box.

C:\RECYCLER\desktop.ini
C:\WINDOWS\System32\drivers\etc\HOSTS
C:\WINDOWS\System32\Guard.tmp
C:\WINDOWS\System32\hr8805lue.dll

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Confirm Delete prompt.
# It should give you a successful "File was deleted" prompt for each one.

For any one that can't be deleted or not found use the Replace on Reboot--Use dummy file method

Click YES on the last one to Restart your computer or Restart anyways

Once back in Windows
Open Hoster and allow it to create a Host file---Restore Original Hosts

Open VX2 Finder and click to find VX2.betterInternet
On the Right hand side click the RESTORE POLICY

Restart again

Look for this file and make sure it's gone
C:\WINDOWS\System32\Guard.tmp <--file

Post back one more hijackthis log and one more output.txt from find.bat
That should hopefully get you clean, but we better double check

Plinti · « **Reply #13 on:** January 05, 2005, 06:18:32 PM »

New logs:

output.txt
============
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
============

Hijackthis
============
Logfile of HijackThis v1.99.0
Scan saved at 19:03:13, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Util\HijackThis.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

============

thank you!

guestolo · « **Reply #14 on:** January 05, 2005, 08:44:14 PM »

Hi again Plinti, Unfortunately you didn't supply the whole output.txt log from find.bat

If you wouldn't mind showing me another one with a fresh hijackthis log that would be great, let's make sure that we got you totally clean

To enhance your privacy and security
You should set up protection against future attacks

You should install these 2 apps., they add extra security while
silently protectin you , without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Hold onto Ad-Aware and check for updates every couple of weeks and run a scan
You may choose to do a System Smart scan which is quicker, do a Full Scan once in awhile
Hold onto Spybot and check for updates and run a scan every couple of weeks
To add a little more added protection
Open Spybot>>Click Immunize>>OK>>Immunize at the top
Do this after every update

Hold onto Windows CleanUp!, cleanup those temp folders, etc.. every couple of weeks>>I like to do this in safe mode

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I also noticed that your behind on Windows updates, It's important to keep up on the updates to help keep your system Secure
If you have a legitimate version of Windows XP there is no reason not too.
If your not ready to install Service Pack 2>>There are certain steps I like to do before installation, I can help you out if you decide to go this route

At minimum Install Service Pack 1a---Restart when prompted and then visit Windows Updates and get all latest Critical Updates
Not including Recommended updates and SP2
Let's make sure your clean first and clear out your System Restore Points beforehand>>Don't need you restoring any Nasties
But go ahead and install Spyware Blaster and IE-Spyad for now, very much recommended

Plinti · « **Reply #15 on:** January 05, 2005, 09:08:46 PM »

Sorry, I did not notice I had not selected all the text before ctrl+c..

Here it is, the full output.txt:

=====
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
0 arquivo(s) 0 bytes
1 pasta(s) 5.669.924.864 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.669.924.864 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

28/10/2001 15:06 2.969 CONFIG.TMP
1 arquivo(s) 2.969 bytes
0 pasta(s) 5.669.916.672 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
=====

And a fresh hijackthis:

=====
Logfile of HijackThis v1.99.0
Scan saved at 22:00:25, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Util\HijackThis.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

=====

guestolo · « **Reply #16 on:** January 05, 2005, 09:26:25 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Looks good
Take a look at what I suggested in my last reply to you

But first if everything is running better, as I mentioned this would be a good time to Clear all your Restore Points>>Don't need no Nasties returning in case you must use this feature in the future

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Simply Disable System Restore>>Restart your Computer>>Enable System Restore
This will Clear all your Restore Points and Create a new one once reenabled
Link will show you how
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm

Seeing as you don't have Service Pack 2 installed, do you need a free Popup blocker?
You may want to check out the Google Toolbar http://toolbar.google.com/
This is too eliminate those everyday popups that we may get or not get.....
If you situate Google toolbar correctly, you can place it beside your IE address bar and it won't take up much room, check out it's options, you actually don't need the whole bar showing if you don't want it.....But the popup blocker still does it's job

Have you disabled Messenger and Alerter in Services?
If your unsure and need a hand, let me know

If you have a legit version of Windows and decide to Install SP1a
You may want to shut down your Download manager beforehand, just in case of conflicts
And please scan anything you download with AVG from any File Sharing software you have
Don't forget to check for updates with AVG twice a week
Simply double click the AVG icon by the System clock and click the Check for updates button....

TheTechGuide Forum

News:

Author Topic: Pop ups + tray problem (Read 1330 times)

Plinti

Pop ups + tray problem

guestolo

Pop ups + tray problem

Plinti

Pop ups + tray problem

guestolo

Pop ups + tray problem

Plinti

Pop ups + tray problem

Guest

Pop ups + tray problem

guestolo

Pop ups + tray problem

Plinti

Pop ups + tray problem

guestolo

Pop ups + tray problem

Plinti

Pop ups + tray problem

guestolo

Pop ups + tray problem

Plinti

Pop ups + tray problem

guestolo

Pop ups + tray problem

Plinti

Pop ups + tray problem

guestolo

Pop ups + tray problem

Plinti

Pop ups + tray problem

guestolo

Pop ups + tray problem