Author Topic: I have rundll32 problems....log inside! (Read 3606 times)

jcurrieirocz · « **on:** December 30, 2004, 05:17:56 PM »

Hello: can someone help me thanks!!!!!

Logfile of HijackThis v1.98.2
Scan saved at 5:13:12 PM, on 12/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cg...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1063 (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\lspak.dll
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe

guestolo · « **Reply #1 on:** December 30, 2004, 09:54:07 PM »

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version, or the Professional series
Open Ad-Aware, ensure to click the check for updates online link and Connect to download the latest updates
RESTART your computer into Safe mode
You can enter safe mode by continually tapping the F8 key when the system is booting up
Or follow these instructions
Start your computer in SAFE MODE

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back into Normal Mode

I see you have done an Online AV scan at Housecall's,
Can you try one at RAV's
http://www.ravantivirus.com/scan/

When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and definition files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan

Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here

Can you also download and save to desktop
LSP fix
Open the program and let me know what you see in the KEEP side
Also let me know what you see in the REMOVE side
Exit out of the program for now by clicking the X button

Not sure exactly what you mean by this
"I have rundll32 problems"
Can you explain

Let's try replacing rundll32.exe and see if that helps, we may have to do it after a good cleaning on your machine, or try before
Download and save to desktop
rundll32_98.zip

You will have to Right click on that link and Copy Shortcut
Paste it to the IE address bar and hit GO
UNZIP the contents to your C:\WINDOWS folder

Do all the above if you can and then we'll try some manual cleaning on your log
But first, update your version of Hijackthis to the latest
Open Hijackthis>>Config>>Misc Tools>>Check for updates Online
If for some reason it won't update download the latest version from
This Link--CLICK HERE or This Link--CLICK HERE
Save it to C:\UNZIPPED\HIJACKTHIS folder and allow it to overwrite the old version if prompted
Post back with a fresh Hijackthis log from version 1.99

jcurrieirocz · « **Reply #2 on:** January 02, 2005, 04:10:49 PM »

ok i tryed everything you said and thing all went ok except when i tryed to dl the rundll zip file a error message came up saying "Your current securety settings do not allow this file to be downloaded" I even messed around changeing my IE securety settings and still got that message no matter where i set them to.

and to reply in order heres what you requested:

A -Adaware scan compleated in safe mode and del all items that came up.

B -I ran Rav and came up with nothing:
Scan started at 1/2/05 3:04:52 PM

Scanning memory...

Scanned
============================
   Objects: 19714
   Directories: 1697
   Archives: 1078
   Size(Kb): 605088
   Infected files: 0

Found
============================
   Viruses found: 0
   Suspicious files: 0
   Disinfected files: 0
   Mail files: 363

C - For the LSP fix in the Keep side i have:

rnr20.dll DNS Name Space Provider
mswsosp.dll (Protocol handler)
msafd.dll (Protocol handler)
rsvpsp.dll (Protocol handler)

and in the remove side there is nothing.

D - By "rundll32 problems" i think i have the virus type seen HERE. The hole reason i think i have problems is im running "Skygate Personal Firewall" and i can see and have to block a few things so i dont get a bunch of stuff automaticly d/l to my comp and opened on its own...like spyware pop up ads and stuff that shows up in my favorites in IE. Theres somrthing i think on my computer looking to pull stuff into it im guessing. As soon as i unblock some of the stuff thats trying to get thru it infects my computer. So to combat back i am running things right now such as Spywareblaster, Spybot search and destroy, Bazooka scanner, Skygate firewall, Popup stopper and now ad-aware se. But anytime i turn off my firewall i am infected again.

E - I am not able for some reason (i cant figure out) to d/l the rundll zip

F - Heres my new log:

Logfile of HijackThis v1.99.0
Scan saved at 3:42:16 PM, on 1/2/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\JEFFS STUFF\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thank you for your time i hope i can get my problems licked!

guestolo · « **Reply #3 on:** January 02, 2005, 04:37:21 PM »

Well, let's try this
LSP fix and Hijackthis has shown that the Winsock hijacker is no longer present

Download this removal tool for SDBot virus>>>save it to you desktop but don't run it yet
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.exe

Could you also download and save to desktop the Standalone version of CWShredder
CWShredder.exe
Don't run it yet

Could you also go to this site and see if you can download the your version of Rundll32.zip
Save it to your desktop
Don't unzip it yet

Try your other browser if you can't get IE to download the above tools
I'm assuming that you have Netscape installed

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as IEfix.reg
This will restore you default start page and search settings back to Microsofts defaults

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

Please print this out or save to a notepad file
Disconnect from the Internet
Restart your computer into safe mode

Navigate to your Temp folders and delete the Whole contents, or whatever you can, but Don't delete the Temp directories themselves
C:\Windows\Temp
C:\Windows\Temporary Internet Files

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe

O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe

O14 - IERESET.INF: START_PAGE_URL=

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Run the Removal tool from f-secure
Wait for the results

Double click on IEfix.reg and allow it to merge to the Registry

Next Run CWShredder and click the FIX button, let it fix all problems

Unzip rundll32.exe to your C:\WINDOWS folder

Restart your computer back to Normal Mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Post back a Fresh Hijackthis log
Could you also open up Spybot and click on HELP>>ABOUT
Let me know version and Latest detection date, thanks

Do as much of the above as you can before posting back a new hijackthis log
Also let me know if your having troubles with Norton's AV
This line indicates you may be
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
Notice the file missing at the end

Guest · « **Reply #4 on:** January 03, 2005, 12:27:36 PM »

Ok here goes:

i did everything you said some worked and some didnt.

A: i downloaded the 2 exe files and the zip file DONE

B: I created the reg file DONE

C:disconnected and restarted in safe mode, del the contents of both temp folders like you said DONE

D: ran hijack this and del the 4 items i checked off. DONE

E: i ran the fsecure but it came up "No infection found" DONE

F: I clicked the .reg file i made and let it merge to the registry successfully DONE

G: I tryed to run cwshredder but got an "Error starting program" A required .dll file, OLEACC.DLL was not found. (NOT DONE)

H: I tryed to Unzip rundll32.exe to my C:\WINDOWS folder and got an error:
Extracting to "C:\WINDOWS\"
Use Path: yes Overlay Files: yes
Error: The process cannot access the file because
it is being used by another process.
Cannot create C:\WINDOWS\rundll32.exe
(NOT DONE)

I: I Restart my computer back to Normal Mode and did everything you said in Internet Options via Control Panel DONE

J: heres my new log:
Logfile of HijackThis v1.99.0
Scan saved at 12:18:28 PM, on 1/3/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\JEFFS STUFF\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [warez] "C:\PROGRAM FILES\WAREZ P2P CLIENT\WAREZ.EXE" -h
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

K: my version of Spybot is 1.3 and today when you asked me to look the last detection date was 2004/10/26 so then i checked for an update and dl the latest and did a scan and del the items it found and cheacked the detection again and now it is 2004/12/17

L: the norton antivirus i did have was a trial and it ran out and i del. it off my comp back a few months ago so i dont use it anymore anyhow.

guestolo · « **Reply #5 on:** January 03, 2005, 03:42:58 PM »

Can you try this for me
Download this version of CWShredder.exe

Don't run it yet
Instead----
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O14 - IERESET.INF: START_PAGE_URL=

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double click on IEFix.reg and let it merge

Try running that version of CWShredder and click the FIX button

Restart your computer when It's done

Post back a fresh hijackthis log
Do what you can from above before posting back

Do you have your Windows CD? If CWShredder won't run we may have to run
System File Checker and replace some files
This can be done by going to START>>RUN>>type in sfc and hit OK

We will also want to totally clean you of Nortons AV, if that's the outdated trial version I see running in your 04 run entries
Not sure what version you have but Symantec's has instructions
I'll assume 2004
Follow the instructions from this link
We should get you protection on your computer once it's uninstalled completely
I have a link to a free AV

jcurrieirocz · « **Reply #6 on:** January 04, 2005, 11:56:38 AM »

ok ive tryed unistalling norton and i think its gone i cant find any evidence of it on my comp anywere but hijack seems to be still showing it. What was that link you have for me... i have been looking for a good free AV.
I did everything you asked and it all went good that cwshredder worked, heres the new log:

Logfile of HijackThis v1.99.0
Scan saved at 11:53:48 AM, on 1/4/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\JEFFS STUFF\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

jcurrieirocz · « **Reply #7 on:** January 04, 2005, 12:08:40 PM »

oh forgot to say i still have 3 applications are still coming up in my firewall, i still have to keep blocked or i get infected. heres a screenshot of those applications (notice the first, third and fourth):

here

guestolo · « **Reply #8 on:** January 04, 2005, 01:01:50 PM »

Ahh, I'm starting to see what infection you may have
Can you do me a favor
Download and Unzip to a folder
findit.zip
Open the folder and double click on the Find.bat file
Ignore any File not found messages
It runs for a minute or longer, and produces a log
Please copy and paste the log on your next response.

Can you Download DLLCompare

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

One last request
Download and save to desktop
VX2 Finder
Open it and click the "Click to Find VX2.betterinternet"
When it's done scanning click the Make log and post it back here

Please don't try and reboot your computer until we have tried some fixes

jcurrieirocz · « **Reply #9 on:** January 04, 2005, 11:03:19 PM »

ok
Heres everything findit gave me:

Beginning Strings.exe search...this portion of the search
can take several minutes, please allow it to run until
the log appears.
header.txt
system.txt
hidden.txt
useragent.txt
locate.txt
qoologic.txt
aspack.txt
umonitor.txt
runkey.txt
1 file(s) copied

After copying and pasting your logfile, please press a key.

Press any key to continue . . .

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

MXPRINT DLL 312,680 10-08-04 10:51a MxPRINT.DLL
DKKMAINT DLL 312,680 10-08-04 10:51a DkKMAINT.DLL
CHMMCTRL DLL 312,680 10-08-04 10:51a ChMMCTRL.DLL
MMPRINT2 DLL 312,680 10-08-04 10:51a MmPRINT2.DLL
NISWAN32 DLL 312,680 10-08-04 10:51a NiSWAN32.DLL
WGOCK32 DLL 312,680 10-08-04 10:51a WgOCK32.DLL
6 file(s) 1,876,080 bytes
0 dir(s) 5,459.91 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

MXPRINT DLL 312,680 10-08-04 10:51a MxPRINT.DLL
DKKMAINT DLL 312,680 10-08-04 10:51a DkKMAINT.DLL
CHMMCTRL DLL 312,680 10-08-04 10:51a ChMMCTRL.DLL
MMPRINT2 DLL 312,680 10-08-04 10:51a MmPRINT2.DLL
NISWAN32 DLL 312,680 10-08-04 10:51a NiSWAN32.DLL
WGOCK32 DLL 312,680 10-08-04 10:51a WgOCK32.DLL
FOLDER HTT 12,746 08-13-01 1:58p folder.htt
DESKTOP INI 266 08-13-01 1:58p desktop.ini
8 file(s) 1,889,092 bytes
0 dir(s) 5,459.89 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{01F6C7C1-1918-11D9-B016-00095B1FAD7B}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
mxprint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
dkkmaint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
chmmctrl.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
mmprint2.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
niswan32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
wgock32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,876,080 bytes 1.79 M

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\lame_enc.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioFile.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioInformation2.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioPlayer.dll: .aspack
C:\WINDOWS\SYSTEM\NCTWMAFile.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\MxPRINT.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\MxPRINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\DkKMAINT.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\DkKMAINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\ChMMCTRL.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\ChMMCTRL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MmPRINT2.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\MmPRINT2.DLL: UMonitor
C:\WINDOWS\SYSTEM\NiSWAN32.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\NiSWAN32.DLL: UMonitor
C:\WINDOWS\SYSTEM\WgOCK32.DLL: rundll32.exe %s,UMonitor %s %s
C:\WINDOWS\SYSTEM\WgOCK32.DLL: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"RegShave"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"FLMLABTECMOUSE"="C:\\Program Files\\Labtec\\Labtec Mouse Software\\2.0\\mouse32a.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"WORKFLOW"="D:\\WORKFLOW.EXE"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"msnappau"="\"c:\\program files\\MSN Apps\\Updater\\01.02.3000.1001\\en-ca\\msnappau.exe\""
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"KodakCCS"="C:\\WINDOWS\\System32\\Drivers\\KodakCCS.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

heres my dllcompare log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\mxprint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\dkkmaint.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\chmmctrl.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\mmprint2.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\niswan32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
C:\WINDOWS\SYSTEM\wgock32.dll Fri Oct 8 2004 10:51:30a ..SHR 312,680 305.35 K
________________________________________________

627 items found: 627 files (6 H/S), 0 directories.
Total of file sizes: 121,955,562 bytes 116.30 M

--------------------End log---------------------

Heres my vx2finder log:

Log for VX2.BetterInternet File Finder (ver126)

Files Found---
C:\WINDOWS\SYSTEM\ChMMCTRL.DLL
C:\WINDOWS\SYSTEM\DkKMAINT.DLL
C:\WINDOWS\SYSTEM\MmPRINT2.DLL
C:\WINDOWS\SYSTEM\MxPRINT.DLL
C:\WINDOWS\SYSTEM\NiSWAN32.DLL
C:\WINDOWS\SYSTEM\WgOCK32.DLL

User Agent String---
{01F6C7C1-1918-11D9-B016-00095B1FAD7B}

there you go hope that helps us out!!!

guestolo · « **Reply #10 on:** January 04, 2005, 11:18:33 PM »

You look like you have an older infection

Run vx2finder9x.exe
Press 'Click to Find VX2.BetterInternet'
Select all the files found
Press 'Delete These Files'

The program will delete all files.

Once deleted:
a. Press 'User Agent$'
b. Press 'Restore Desktop'
c. Press 'Import Reg'

Again Open Ad-Aware and check for updates and perform a full system
scan
Remove all Critical objects

Restart your computer

Once back in Windows post a fresh Hijackthis log
Open VX2 finder and click to find vx2.betterinternet
Make a log and post it back here too, thanks

We should hopefully just have some final cleanup in your Hijackthis log and we should get you that AV on your system and a couple other tools to keep you clean

jcurrieirocz · « **Reply #11 on:** January 06, 2005, 05:50:53 PM »

ok
theres a little problem....when i pressed import reg. a window came up saying "Look2me Import look2me.reg to repair Quicklaunch toolbar" i hit yes thinking it was something you wanted me to do but maybe i shouldnt of. because now there is quick launch icons on my startup bar (normaly where my page or aplication tabs are) that i dont want there. How do i remove them.....is look2me junk or what is it??? Ive seen that name on my firewall and i blocked it,,should I???

heres the new logs:
Logfile of HijackThis v1.99.0
Scan saved at 5:29:59 PM, on 1/6/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\DIAGNOSE PROBLEMS FILES\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

looks like nothing i guess???

Log for VX2.BetterInternet File Finder (ver126)

Files Found---

User Agent String---

guestolo · « **Reply #12 on:** January 06, 2005, 09:39:25 PM »

This line may indicate that you had Norton's AV installed as part of Norton Internet Security Suite
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
Possibly part of Nortons Firewall, did you check out that link to remove NIS?

Do another scan with Hijackthis and put a check next to these entries:

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O14 - IERESET.INF: START_PAGE_URL=

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART your computer

I assume if you removed Norton's you may not have any Anti-Virus to install in your computer
If that's the case you may want to install
If you don't have any AV software
I recommend that you go to this link
http://free.grisoft.com/doc/1
Download and Install the free version of AVG 7 Free
After installation, restart if prompted
Allow it to update and run a Full System Scan
Not to safe being without any AV installed

To enhance your privacy and security
You should set up protection against future attacks

You should install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

If you could
Post back with a fresh Hijackthis log and one last log from Find.bat<<I know that this may take some time to run, but let's ensure your clean

Quote

.is look2me junk or what is it

YES---Junk,junk,jun
Google and see what you find out
The look2me infection you have/had does have a way of effecting the desktop
The tool you ran helps to restore it
Try right clicking an empty spot on the Bottom taskbar
Left click Toolbars and uncheck Quick Launch

Guest · « **Reply #13 on:** January 07, 2005, 02:20:27 PM »

ok great looks like it all worked! A few quick questions tho

A--My firewall is only showing one application that i have blocked and it is the 1st one in the list on the screenshot i showed you in an previous post. But theres no traffic thru it anymore.
Can you tell me if i should have that application set to allow instead of block?? Or leave it to block??

B--Ok I ran the rav av and it found and del a "Trogen Horse Backdoor.Agent.4.m"
I also already had SpywareBlaster so i updated it and ran it along with IE-Spyad after i d/l it like you said. I remeber back when i had norton it told me it could not del the trogen virus so i hope the rav got rid of it for good.

C--I also did a google and found this app to remove look2me if you wanted to know http://www.spywareinfo.com/~merijn/files/kill2me.zip
I d/l it an ran it.

D-- Ill post you one more log of hijack just to make sure i got everything.... oh i knowticed that the startpage thing you are getting me to tick off keeps coming back i wonder whats up with that. Im going to post it in a min i got to reboot....

jcurrieirocz · « **Reply #14 on:** January 07, 2005, 02:27:06 PM »

Logfile of HijackThis v1.99.0
Scan saved at 2:22:46 PM, on 1/7/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\MY DOCUMENTS\DIAGNOSE PROBLEMS FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Guest · « **Reply #15 on:** January 10, 2005, 11:50:43 AM »

guestolo · « **Reply #16 on:** January 10, 2005, 08:40:06 PM »

Hi again, sorry for the delay in posting back

At Sygates' forums here is the standard for that entry you are denying access

Quote

Should I Allow the win32 kernel core or ntkernel component?

Products:
Sygate® Personal Firewall
Sygate® Personal Firewall Pro

Operating systems:
All supported operating systems.

Details:
As a rule, if you are unsure about any application you should not allow it to access the Internet. Only the applications that you specifically know what they are should be allowed. Under most cases blocking the windows kernel should not create a problem. However, in some rare instances certain Internet Service Providers (ISP) will send you an ICMP message to verify that you are online and blocking this may cause them to turn off the service. If this happens, simply enable ICMP using the Advanced Rule editor.

To do this open Sygate® Personal Firewall and click on the Tools menu and then on Advanced Rules. You may have to click OK on a warning message before entering the Advanced Rule Editor.
Once you are in the Advanced Rule Editor click Add, this will cause a new rule to come up. Give the new rule a name, such as "Allow ICMP", and click on Allow this traffic option.
Then click on the Ports and Protocols tab and select the ICMP option. Enable Echo Reply - 0 and Echo Request - 8.
Then click OK to add in that rule, and then click OK to exit the Advanced Rule Editor.

Keywords:
ICMP, win32Kernel, allow, block

I would of liked to seen the Rav report that you will get at the end of the scan

But, we should try something else to ensure that your clean
This is a great Trojan Scanner

Could you Download and Install the Trial version of Trojan Hunter from this link>>It's good for 30 days
http://www.trojanhunter.com/trojanhunter.jsp

After you have it installed it is Important to manually update to the Latest Ruleset
You can find the download from here
http://www.trojanhunter.com/trojanhunter/updating/
Simply save the Zipped file to your desktop and UNZIP it to your Trojan Hunter folder>>Allow to overwrite if prompted
The default install location of Trojan Hunter should be
C:\PROGRAM FILES\Trojan Hunter

After you have updated run a full scan on your hard drive
Let me know if it finds anything
And the location of any bad files if found

Hold onto Trojan Hunter for the full 30 days, before it expires it wouldn't hurt to manually update and run another scan
When uninstalling, simply disable TrojanGuard from running if you have it enabled
and then Uninstall it

Could you post back a fresh hijackthis log afterwards also and one more log from findit.bat
Thanks

Guest · « **Reply #17 on:** January 11, 2005, 01:34:03 PM »

ok like it said i made a new rule for allowing ICMP cause i think that what was happening.

Ok so rav i cant seem to fingure out how to post a log from it to here but it looks ok anyhow i did a 1st test on the 7th and it found the trogen and del it then i did another compleate scan that same day and it found nothing. And today i did another updated complete scan and nothing was found again.

I d/led and updated Trojan Hunter and ran it and found nothing also today. heres the log:
-----------------------------------------------------
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Error: Directory not found: D:\
No trojan files found
-----------------------------------------------------
Heres a new findit log:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

5,447.13 MB free

------- Hidden Files in System Directory -------

Volume in drive C has no label
Volume Serial Number is 1E42-14E9
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 12,746 08-13-01 1:58p folder.htt
DESKTOP INI 266 08-13-01 1:58p desktop.ini
2 file(s) 13,012 bytes
0 dir(s) 5,447.11 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\SYSTEM\lame_enc.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioFile.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioInformation2.dll: .aspack
C:\WINDOWS\SYSTEM\NCTAudioPlayer.dll: .aspack
C:\WINDOWS\SYSTEM\NCTWMAFile.dll: .aspack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"RegShave"="C:\\Progra~1\\REGSHAVE\\REGSHAVE.EXE /autorun"
"FLMLABTECMOUSE"="C:\\Program Files\\Labtec\\Labtec Mouse Software\\2.0\\mouse32a.exe"
"WinampAgent"="\"C:\\Program Files\\Winamp3\\winampa.exe\""
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"WORKFLOW"="D:\\WORKFLOW.EXE"
"SmcService"="C:\\PROGRA~1\\SYGATE\\SPF\\SMC.EXE -startgui"
"msnappau"="\"c:\\program files\\MSN Apps\\Updater\\01.02.3000.1001\\en-ca\\msnappau.exe\""
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
"KodakCCS"="C:\\WINDOWS\\System32\\Drivers\\KodakCCS.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"
"THGuard"="\"C:\\PROGRAM FILES\\TROJANHUNTER 4.1\\THGUARD.EXE\""

-------------------------------------------------------------------------
Heres a new hijack log:

Logfile of HijackThis v1.99.0
Scan saved at 1:22:54 PM, on 1/11/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LABTEC\LABTEC MOUSE SOFTWARE\2.0\MOUSE32A.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.1\THGUARD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\DIAGNOSE PROBLEMS FILES\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.pei.sympatico.ca"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-CA\MSNTB.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [FLMLABTECMOUSE] C:\Program Files\Labtec\Labtec Mouse Software\2.0\mouse32a.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WORKFLOW] D:\WORKFLOW.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.1\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusin...nfo/webscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200412...llInstaller.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

jcurrieirocz · « **Reply #18 on:** January 12, 2005, 12:15:18 PM »

jcurrieirocz · « **Reply #19 on:** January 15, 2005, 03:50:06 PM »

guestolo: ohh if you didnt know all the guests in this thread are me i forgot to put my name in. So how is my comp looking now???

News:

Author Topic: I have rundll32 problems....log inside! (Read 3606 times)

jcurrieirocz

jcurrieirocz

Guest

jcurrieirocz

jcurrieirocz

jcurrieirocz

jcurrieirocz

Guest

jcurrieirocz

Guest

Guest

jcurrieirocz

jcurrieirocz