« previous next »
Pages: [1]

Author Topic: EnhanceMySearch, please help!  (Read 1993 times)

Guest_Alex

  • Guest
EnhanceMySearch, please help!
« on: January 03, 2005, 06:20:48 PM »
I tried to fix this on my own, I really did.  This EnhanceMySearch simply the product of EVIL.  I just ran adaware, CWShredder, and Spybot, rebooted and ran HiJack This.  But interpreting all this stuff is just over my head.  Please help me and tell me what to fix.  Here's my log:

Logfile of HijackThis v1.99.0
Scan saved at 2:17:06 PM, on 1/3/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\drmman.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rshshlex.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huifpy.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\2apv9.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {359AD71A-34F2-4E4E-8132-9F2489191487} - C:\WINDOWS\System32\hqlpd.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\79p7756.dll
O2 - BHO: SDWin32 Class - {B3DC649D-A606-4D08-BBB5-28CA686B4B82} - C:\WINDOWS\System32\blwvr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [blwvrc] C:\WINDOWS\System32\blwvrc.exe
O4 - HKLM\..\Run: [hqlpdc] C:\WINDOWS\System32\hqlpdc.exe
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [v38X36X] drmman.exe
O4 - HKLM\..\RunOnce: [635k0x.exe] C:\WINDOWS\System32\635k0x.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [e0r7RWb3R] rshshlex.exe
O4 - HKCU\..\RunOnce: [635k0x.exe] C:\WINDOWS\System32\635k0x.exe /k
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/090eb81e247dd8...ip/RdxIE601.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #1 on: January 03, 2005, 07:10:41 PM »
Download and Unzip to a folder
Adtomi Cleanup.zip

Another great utility to help clean your temp folders,cookies, prefetch folder, etc...
Windows CleanUp!
A small download, once it's installed
Don't run a scan yet

Don't confuse the 2 above

Print the rest of this out or save to a notepad file, I need you to Restart into safe mode in the near future, you may want to know how to start in safe mode by checking out the link I supplied earlier if your unsure how


Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Access your Add/Remove Programs and Remove if found

CPR

NEXT:If you have a Yahoo Stock Ticker bar---RightClick on the Yahoo Stock Ticker task bar icon, if present and choose remove - while being online!
A web page from Adtomi will appear : "-uninstall was succesful!"

Don't restart your computer yet


Instead, Open up your Task manager(Right click the bottom task bar and select Task Manager)
Under the Processes tab end process on these
drmman.exe
2apv9.exe
rshshlex.exe
huifpy.exe

Open Adtomi Cleanup that you unzipped earlier and
Double Click Cleanup.bat
NOTE: Do not Touch the VBS files. The bat file will run the scripts all by itself
Please let this run, even if your AV prompts you

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll

O2 - BHO: SDWin32 Class - {359AD71A-34F2-4E4E-8132-9F2489191487} - C:\WINDOWS\System32\hqlpd.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\79p7756.dll
O2 - BHO: SDWin32 Class - {B3DC649D-A606-4D08-BBB5-28CA686B4B82} - C:\WINDOWS\System32\blwvr.dll

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)

O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [blwvrc] C:\WINDOWS\System32\blwvrc.exe
O4 - HKLM\..\Run: [hqlpdc] C:\WINDOWS\System32\hqlpdc.exe
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [v38X36X] drmman.exe
O4 - HKLM\..\RunOnce: [635k0x.exe] C:\WINDOWS\System32\635k0x.exe /k

O4 - HKCU\..\Run: [e0r7RWb3R] rshshlex.exe
O4 - HKCU\..\RunOnce: [635k0x.exe] C:\WINDOWS\System32\635k0x.exe /k

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/090eb81e247dd8...ip/RdxIE601.cab

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Restart your computer into SAFE MODE

Find and delete these files or folders if they exist
C:\WINDOWS\BTGrab.dll <-file
C:\WINDOWS\Helper101.dll
C:\WINDOWS\System32\hqlpd.dll
C:\WINDOWS\system32\79p7756.dll
C:\WINDOWS\System32\blwvr.dll
C:\WINDOWS\System32\blwvrc.exe
C:\WINDOWS\System32\hqlpdc.exe
C:\WINDOWS\ARUpdate.exe
C:\WINDOWS\System32\drmman.exe
C:\WINDOWS\System32\635k0x.exe
C:\WINDOWS\System32\rshshlex.exe

C:\Program Files\CSBB <--folder
C:\Program Files\MySearch <--folder

Open CleanUp! and click the CleanUp button, Let it finish scanning for files
When it's done it will prompt you to log off and on again
At this time Restart back into Normal mode

Post back with a fresh hijackthis log afterwards
Do as much as you can above before posting back, thanks
« Last Edit: January 03, 2005, 07:12:33 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

AlexBPM

  • Guest
EnhanceMySearch, please help!
« Reply #2 on: January 04, 2005, 03:58:52 AM »
Ok, that was fun.  Here's what it looks like now:
Thanks again!

Logfile of HijackThis v1.99.0
Scan saved at 11:51:45 PM, on 1/3/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wigqoy.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ejeijovef] C:\WINDOWS\System32\xbwwedm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #3 on: January 04, 2005, 01:33:07 PM »
Still some work to do

Access your Add/Remove Programs and remove if found
any of the below
WinUpdates
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

# Do not reboot until they have all been removed even if prompted.

# When you are uninstalling the last program you can then reboot when prompted.


In SAFE MODE find and delete the following files or folders if they exist
C:\WINDOWS\System32\wigqoy.exe <--file
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\xbwwedm.exe
 C:\WINDOWS\ZServ.dll
C:\WINDOWS\systb.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huifpy.exe

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [ejeijovef] C:\WINDOWS\System32\xbwwedm.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

RESTART back to Normal mode
Post another hijackthis log
Please don't post a hijackthis log from safe mode, I need to see one in Normal Mode

+Open Spybot>>Click on HELP>>ABOUT
Let me know Spybot version and Latest detection update

+Open Ad-Aware>>Click On DETAILS
Let me know Reference No. and Internal build
« Last Edit: January 04, 2005, 02:17:07 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
EnhanceMySearch, please help!
« Reply #4 on: January 04, 2005, 06:40:54 PM »
When I went attempted to remove MySearch from Add/Remove Programs, I get a prompt that reads:

"Error Loading C:\PROGRA~1\MySearch\bar\1.bin\s4bar.dll
The Specified Module could not be found"

Also, when I reboot in safe mode and attempted to delete C:\WINDOWS\System32\wigqoy.exe <--file, I get a prompt that reads:

"Cannot delete wigqoy: Access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use."

Besides that, I was able to do everything else.  Here's my new log:


Logfile of HijackThis v1.99.0
Scan saved at 2:34:22 PM, on 1/4/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wigqoy.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #5 on: January 04, 2005, 06:48:18 PM »
That file may have been running even in safe mode
Should of checked in the task manager and shut it down first, sorry
Usually malware won't be running in safe mode

Try this
Open Hijackthis>>Open Misc Tools Section>>Open Process Manager
Kill this process
C:\WINDOWS\System32\wigqoy.exe

Back in the Misc Tools section click the Delete file On Reboot
Copy and paste the bolded text into the FILE NAME field
C:\WINDOWS\System32\wigqoy.exe

Click OPEN
Allow the computer to Reboot

Post back a new hijackthis log and please let me know that info I asked you about
For Spybot and Ad-Aware
Then we can worry about the MySearch removal problem
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
EnhanceMySearch, please help!
« Reply #6 on: January 05, 2005, 05:13:43 PM »
I'm running Search and Destroy 1.3, Latest Detection Update 2004-12-17

Adaware Reference Number: SE1R24 29.12.2004
Internal Build: 29

And my new log:

Logfile of HijackThis v1.99.0
Scan saved at 1:09:02 PM, on 1/5/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huifpy.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #7 on: January 05, 2005, 09:48:30 PM »
Hi again Alex, you don't show all signs of the newer VX2 infection, but you do show signs of Narrator Trojan

Can I please get you to do a few things for me please

Do as much of this as you can and then post back, thanks

Download Findit.zip

UNZIP its contents to its own folder
Open the folder and double click on Find.bat (File with a gear symbol)
Ignore any File not found messages
It runs for a minute or longer,give it time,  and produces a log
Please copy and paste the log on your next response.

Could you also download Runkey.zip

Unzip it and then doubleclick on RunKey2.bat. It will produce a All.txt file. Please copy and paste that here.


Could you search in your
system32folder  for *.dat
Simply use XP's search feature and add *.dat to the All or part of the file name
Use the Browse selection and navigate to C:\WINDOWS\system32 folder and select it

When you get the list, find one recently created. Right click on it, open in Notepad and look for this in the first line of the file:
This program cannot be run in DOS mode.
Post back the name of the file if you find it

Could you also Open Hijackthis and click on the Misc Tools Section
Put a check in "List also Minor sections (full)
Click the "Generate Starup list"
Post the Startup list back here
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
EnhanceMySearch, please help!
« Reply #8 on: January 06, 2005, 05:26:04 AM »
Here are the 3 logs you requested.  I also did a search and found the name of the file that contains the text "This program cannot be run in DOS"...it is "pakgyq.dat"

FindIt Log:

Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.

 ------- System Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32

01/02/2005  04:19 AM    <DIR>          dllcache
12/22/2004  01:14 AM           235,728 2apv9.exe
12/21/2004  08:41 PM           141,713 7jz.exe
12/21/2004  08:37 PM           313,984 27vc.sys
11/18/2004  11:34 PM    <DIR>          Microsoft
               3 File(s)        691,425 bytes
               2 Dir(s)  75,940,909,056 bytes free

 ------- Hidden Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32

01/03/2005  03:49 AM    <DIR>          vmss
01/02/2005  04:19 AM    <DIR>          dllcache
12/22/2004  01:14 AM           235,728 2apv9.exe
12/21/2004  08:41 PM           141,713 7jz.exe
12/21/2004  08:37 PM           313,984 27vc.sys
11/06/2004  01:36 PM               488 logonui.exe.manifest
11/06/2004  01:36 PM               488 WindowsLogon.manifest
11/06/2004  01:36 PM               749 sapi.cpl.manifest
11/06/2004  01:36 PM               749 cdplayer.exe.manifest
11/06/2004  01:36 PM               749 nwc.cpl.manifest
11/06/2004  01:36 PM               749 ncpa.cpl.manifest
11/06/2004  01:36 PM               749 wuaucpl.cpl.manifest
              10 File(s)        696,146 bytes
               2 Dir(s)  75,940,900,864 bytes free

 ---------- Files Named "Guard" -------------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32


 --------- Temp Files in System32 Directory --------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32

07/29/2002  12:59 AM            73,728 cnm115.tmp
08/23/2001  04:00 AM             2,577 CONFIG.TMP
               2 File(s)         76,305 bytes
               0 Dir(s)  75,940,900,864 bytes free

 ---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


 ------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


 ---------------- Xfind Results -----------------


 -------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
   27vc.sys       Tue Dec 21 2004   8:37:42p  ..SHR        313,984   306.63 K
   2apv9.exe      Wed Dec 22 2004   1:15:00a  ..SHR        235,728   230.20 K
   7jz.exe        Tue Dec 21 2004   8:41:22p  ..SHR        141,713   138.39 K

3 items found:  3 files, 0 directories.
   Total of file sizes:  691,425 bytes    675.22 K





Runkey Log:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"Narrator"="C:\\WINDOWS\\System32\\wigqoy.exe"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fnxskg]
@="{2ec88e55-f5ba-41bf-b44a-9840a4278ccf}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fnxskg]
@="{2ec88e55-f5ba-41bf-b44a-9840a4278ccf}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"





HiJack Startup list log:

StartupList report, 1/6/2005, 1:20:56 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.EXE
Detected: Windows XP  (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huifpy.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[3dc77efe-1c12-4b9f-a647-74a52033931f]
StubPath = C:\WINDOWS\System32\hzaxmp.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[GTDownloaderCtrl Class]
InProcServer32 = C:\WINDOWS\System32\gtdownlr_88.ocx
CODEBASE = http://inst.c-wss.com/78/html/gtdownlr.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

[iTunesDetector Class]
InProcServer32 = C:\Program Files\iTunes\ITDetector.ocx
CODEBASE = http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 10,155 bytes
Report generated in 0.438 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #9 on: January 06, 2005, 09:06:27 PM »
Sorry for the delay, let's see if we can clean you up

If you see Delphin Viewer in your Add/Remove Programs can you Remove it

Can you now, save this to a Notepad file on your desktop and then Disconnect from the Internet, close out all browsers and follow these instructions after you have Downloaded Killbox

Next:
1. Download the Pocket Killbox
2.Unzip the contents of KillBox.zip to a convenient location.
3.Double-click on KillBox.exe.
4.Click "Replace on Reboot" and check the "Use Dummy" box.
5.Paste this file into the top "Full Path of File to Delete" box.

   C:\WINDOWS\System32\pakgyq.dat

6.Click the "Delete File" button which looks like a stop sign.
7.Click "Yes" at the Replace on Reboot prompt.
8.Click "No" at the Pending Operations prompt.
# Repeat steps 4-8 above for these files

C:\WINDOWS\System32\wigqoy.exe

     C:\WINDOWS\System32\hzaxmp.exe
   

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huifpy.exe

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.
# Click "Yes" at the Pending Operations prompt to restart your computer.

Once back in windows

Can you Navigate to this folder and let me know anything you can find on it
C:\WINDOWS\System32\vmss <--folder, may be related to Delphin Viewer
A Nasty

Can you also navigate to these files and let me know what they are related too
right click on them, left click properties--version tab if found
Or run them through this online malware scanner and post back the scanner results
Give the link time to load if busy
http://virusscan.jotti.dhs.org/
Simply use the browse button and then Navigate to each file, right click on the file, choose Select---Then click the Submit button
Wait for the scan results
One may be legit
C:\WINDOWS\System32\2apv9.exe <--file
C:\WINDOWS\System32\7jz.exe <--file
C:\WINDOWS\System32\27vc.sys <--file

I also don't see any Anti-Virus on your computer
Could you at this time, install any that you have and run a Full System Scan
If you don't have any AV software
I recommend that you go to this link
http://free.grisoft.com/doc/1
Download and Install the free version of AVG 7 Free
After installation, restart if prompted
Allow it to update and run a Full System Scan

Post back with a fresh Hijackthis log and one last log from Find.bat
We will still have some leftovers to clean out
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest_Alex

  • Guest
EnhanceMySearch, please help!
« Reply #10 on: January 09, 2005, 02:21:15 AM »
I followed your directions but I think I may have done something incorrectly.  After attempting to delete C:\Documents and Settings\All Users\Start Menu\Programs\Startup\huifpy.exe with Killbox, I get a Black window (Dos?) that stays on my desktop after reboot with a bunch of funny looking text followed by consecutive beeps from my PC.  The window reads C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\huifpy.exe.  

All the files you asked me to check with Jotti's Malware scan were bad.  Here are the results followed by a new HiJack log and Find It log.  I also ran a virusscan with AVG free and it found a few trojans.  


   
Service load:  0%        100%  
 
File:  2apv9.exe  
Status:  INFECTED/MALWARE  
Packers detected:  None
   
AntiVir  No viruses found (0.28 seconds taken)
Avast  No viruses found (1.51 seconds taken)
BitDefender  Trojan.Delf.CF (0.32 seconds taken)
ClamAV  No viruses found (0.38 seconds taken)
Dr.Web  Trojan.DownLoader.1209 (0.69 seconds taken)
F-Prot Antivirus  No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus  Trojan.Win32.Delf.cf (1.33 seconds taken)
mks_vir  No viruses found (0.42 seconds taken)
NOD32  No viruses found (1.40 seconds taken)
Norman Virus Control  No viruses found (2.60 seconds taken)

Service load:  0%        100%  
 
File:  7jz.exe  
Status:  INFECTED/MALWARE  
Packers detected:  None
   
AntiVir  No viruses found (0.15 seconds taken)
Avast  No viruses found (1.51 seconds taken)
BitDefender  Trojan.Delf.CF (0.35 seconds taken)
ClamAV  Trojan.Delf-11 (0.36 seconds taken)
Dr.Web  not a virus Adware.Adtomi (0.53 seconds taken)
F-Prot Antivirus  No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus  Trojan.Win32.Delf.cf (0.67 seconds taken)
mks_vir  No viruses found (0.23 seconds taken)
NOD32  Win32/Delf.NAD (0.37 seconds taken)
Norman Virus Control  No viruses found (0.65 seconds taken)


Service load:  0%        100%  
 
File:  27vc.sys  
Status:  INFECTED/MALWARE  
Packers detected:  PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
   
AntiVir  No viruses found (0.47 seconds taken)
Avast  No viruses found (3.01 seconds taken)
BitDefender  Trojan.Delf.CF (0.31 seconds taken)
ClamAV  No viruses found (0.38 seconds taken)
Dr.Web  Trojan.DownLoader.1317 (0.50 seconds taken)
F-Prot Antivirus  No viruses found (0.05 seconds taken)
Kaspersky Anti-Virus  Trojan.Win32.Delf.cf (1.10 seconds taken)
mks_vir  No viruses found (0.21 seconds taken)
NOD32  No viruses found (0.65 seconds taken)
Norman Virus Control  No viruses found (4.63 seconds taken)


Logfile of HijackThis v1.99.0
Scan saved at 10:14:59 PM, on 1/8/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\wigqoy.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: huifpy.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Find It Log:
Warning! This utility will find legitimate files in addition to malware.  
Do not remove anything unless you are sure you know what you're doing.

 ------- System Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32

01/02/2005  04:19 AM    <DIR>          dllcache
12/22/2004  01:14 AM           235,728 2apv9.exe
12/21/2004  08:41 PM           141,713 7jz.exe
12/21/2004  08:37 PM           313,984 27vc.sys
11/18/2004  11:34 PM    <DIR>          Microsoft
               3 File(s)        691,425 bytes
               2 Dir(s)  75,725,852,672 bytes free

 ------- Hidden Files in System32 Directory -------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32

01/03/2005  03:49 AM    <DIR>          vmss
01/02/2005  04:19 AM    <DIR>          dllcache
12/22/2004  01:14 AM           235,728 2apv9.exe
12/21/2004  08:41 PM           141,713 7jz.exe
12/21/2004  08:37 PM           313,984 27vc.sys
11/06/2004  01:36 PM               488 logonui.exe.manifest
11/06/2004  01:36 PM               488 WindowsLogon.manifest
11/06/2004  01:36 PM               749 sapi.cpl.manifest
11/06/2004  01:36 PM               749 cdplayer.exe.manifest
11/06/2004  01:36 PM               749 nwc.cpl.manifest
11/06/2004  01:36 PM               749 ncpa.cpl.manifest
11/06/2004  01:36 PM               749 wuaucpl.cpl.manifest
              10 File(s)        696,146 bytes
               2 Dir(s)  75,725,848,576 bytes free

 ---------- Files Named "Guard" -------------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32


 --------- Temp Files in System32 Directory --------

 Volume in drive C has no label.
 Volume Serial Number is 6420-1147

 Directory of C:\WINDOWS\System32

07/29/2002  12:59 AM            73,728 cnm115.tmp
08/23/2001  04:00 AM             2,577 CONFIG.TMP
               2 File(s)         76,305 bytes
               0 Dir(s)  75,725,848,576 bytes free

 ---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


 ------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


 ---------------- Xfind Results -----------------


 -------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
   27vc.sys       Tue Dec 21 2004   8:37:42p  ..SHR        313,984   306.63 K
   2apv9.exe      Wed Dec 22 2004   1:15:00a  ..SHR        235,728   230.20 K
   7jz.exe        Tue Dec 21 2004   8:41:22p  ..SHR        141,713   138.39 K

3 items found:  3 files, 0 directories.
   Total of file sizes:  691,425 bytes    675.22 K

Logged

Guest

  • Guest
EnhanceMySearch, please help!
« Reply #11 on: January 09, 2005, 02:23:11 AM »
Also, the C:\WINDOWS\System32\vmss file you asked me to navigate to was empty.  Thanks again
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #12 on: January 09, 2005, 02:28:20 AM »
Can you verify for me that this file is gone and then we'll try to do some final cleanup

It's like we have the mouse in the trap, just have to go in for the kill

Sorry>>This file pakgyq.dat
« Last Edit: January 09, 2005, 02:29:02 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #13 on: January 09, 2005, 02:53:37 AM »
Quote
I followed your directions but I think I may have done something incorrectly
No, you did everything right, I should of warned you about that
I should of had you remove the entries I'm recommending below with hijackthis as soon as you restarted
but many users are unsure what to look for
They don't appear in hijackthis until we had you do the previous instructions


Let's try and kill this thing off
pakgyq.dat is probably gone
Please print this off or save it to a notepad file on the desktop for easy access

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\wigqoy.exe

O4 - Global Startup: huifpy.exe


After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Double-click on KillBox.exe.
1.Click "Replace on Reboot" and check the "Use Dummy" box.
2.Paste this file into the top "Full Path of File to Delete" box.

   C:\WINDOWS\System32\2apv9.exe

3.Click the "Delete File" button which looks like a stop sign.
4.Click "Yes" at the Replace on Reboot prompt.
5.Click "No" at the Pending Operations prompt.
# Repeat steps 1-5 above for this file

C:\WINDOWS\System32\7jz.exe
   

# Click "Replace on Reboot" and check the "Use Dummy" box.
# Paste this file into the top "Full Path of File to Delete" box.

  C:\WINDOWS\System32\27vc.sys

# Click the "Delete File" button which looks like a stop sign.
# Click "Yes" at the Replace on Reboot prompt.
# Click "Yes" at the Pending Operations prompt to restart your computer.

Once back in windows
Delete this folder
C:\WINDOWS\System32\vmss <--folder

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as search.reg
This will restore your default searchhook

Save this file on the desktop
 
Quote
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Double click on search.reg and Allow it to merge to the registry


Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
This will clean entries in the registry set by the Narrator trojan

Save this file on the desktop
 
Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\3dc77efe-1c12-4b9f-a647-74a52033931f][-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\3dc77efe-1c12-4b9f-a647-74a52033931f]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\fnxskg]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2ec88e55-f5ba-41bf-b44a-9840a4278ccf}]

Double click on fix.reg and Allow it to merge to the registry


Restart your computer again and post back one more hijackthis log and let me know how things are running
« Last Edit: January 09, 2005, 03:42:46 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Guest

  • Guest
EnhanceMySearch, please help!
« Reply #14 on: January 13, 2005, 06:38:44 AM »
Things have been running very slow the last few days, some webpages I frequently visit wouldn't even load.  But everything seems normal know since I followed your most recent directions.  Let me know how I'm looking.  Here's the new HiJack log.  Your help has been invalualbe, thanks!

Logfile of HijackThis v1.99.0
Scan saved at 2:33:15 AM, on 1/13/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Alex\Desktop\HiJack This\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.com/78/html/gtdownlr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
EnhanceMySearch, please help!
« Reply #15 on: January 13, 2005, 08:47:31 PM »
Good Work Alex

You have a couple optionals you can fix with Hijackthis, up to you, not threats,but not needed on startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

If you choose to fix the above with Hijackthis
Enter your task manager and End process on the above

Here's some info

qttask.exe= System Tray Icon for Quick time
Not needed on startup and uses some resources, can be started manually
If you opt to fix, end process on it, access Quick Times preferences beforehand and disable on startup
Then fix with Hijackthis

realsched.exe= Real Player's updater, definitely not needed on startup
If you opt to fix, end process on it, navigate to
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Beforehand
Right click on, and then Rename realsched.exe>>>realsched.old
This will ensure it won't startup and RealPlayer works fine without it
and then fix with Hijackthis

UpdReg.EXE=Registration reminder for Creative Labs products
Just need to fix with Hijackthis

The above are optional but take up resources and may increase startup times

Enough about the optionals, here's what you should do now that your clean

If everything is running smooth now you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point

Here's a link, just in case your unsure how to
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm

You should set up extra protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Hold onto Windows CleanUp! and clean those temp folders every couple of weeks
You can check the options and disable cleaning the Prefetch folder
Do that every couple of months or so........

Your way behind on Windows Updates>>This is important to keeping your system secure
If you have a legitimate copy of Windows there's no reason to be so far behind
If your not ready to Install Service Pack 2
Which would include some of the above, which we already did
Clean Spyware, malware and viruses>>done
Check for updates to all third party programs
Ensure you have the latest drivers

At minimum you should install Service Pack 1a
http://www.microsoft.com/windowsxp/downloa...p1/default.mspx
After installation, reboot when prompted and return to Windows updates and get all Latest Critical Updates
Don't install recommended updates or SP2 until your ready
SP2 is a harmless installation if your prepared

Take care Alex
 http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
« Last Edit: January 13, 2005, 10:05:36 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »