« previous next »
Pages: [1]

Author Topic: Delf.AEO, Browsela.dll MAJOR problem  (Read 2764 times)

Offline Filth

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Delf.AEO, Browsela.dll MAJOR problem
« on: January 14, 2006, 06:50:25 AM »
Hey, I'm having a huge problem with an apparent downloader.delf.aeo trojan after i was infected with spysheriff (atleast thats where i think the problem originated). Now I have tried to get rid of this thing myself and with the help of a fellow tech but we cannot seem to find any solution.

I think I have tried all of the traditional solutions/software (ewido, spy doctor, ad-aware, win32delfkil, l2mfix, v2xfind, through dos, editing the registry, hijack this, clean me, etc etc etcetcccc~). I EVEN repaired my entire windows installation to no avail.

after reading countless posts from people with a seemingly similar infection it would seem as if win32delfkil would do the trick for me,  but it hasn't and i don't know why. I've tried running it in normal boot mode, safe mode, restarting my machine after running it normally and by manually cutting the power to my computer and still nothing. Is it possible that i have a newer version that this program cannot kill? Also, when i ran it, my log only has the details of before i ran win32delfkil, no mention of anything after the fact. I cannot figure out why.

so, i'm at my wits end and i really don't want to delete the partition i have my OS on as it will wreak havoc on my already installed programs. now i turn to anyone who thinks they can help! I thank you in advance!

here are my logs:

HJT

Logfile of HijackThis v1.99.1
Scan saved at 6:46:38 AM, on 1/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\S24EvMon.exe
E:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\RegSrvc.exe
c:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\LVCOMSX.EXE
E:\WINDOWS\system32\ZCfgSvc.exe
E:\WINDOWS\system32\1XConfig.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxsrvc.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\sndoctor.exe
E:\Program Files\Yahoo!\Messenger\ypager.exe
E:\WINDOWS\System32\wbem\wmiapsrv.exe
E:\WINDOWS\Explorer.EXE
C:\spyhelp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [LVCOMSX] E:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ZCfgSvc.exe] E:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - c:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChatENU/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - E:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: RunOnce - E:\WINDOWS\system32\mvnsl9571.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - c:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - E:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - E:\WINDOWS\system32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - c:\Program Files\Spyware Doctor\sdhelp.exe



and FindIt!

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\desktop\Find It NT-2K-XP

 ------- System Files in System32 Directory -------

 Volume in drive E has no label.
 Volume Serial Number is 280D-64FE

 Directory of E:\WINDOWS\System32

01/14/2006  04:33 AM           235,679 iQlmuCHS.dll
01/14/2006  04:33 AM           237,175 p6r4lg9q16.dll
01/14/2006  02:25 AM           235,679 n6l8lg3u16.dll
01/14/2006  02:24 AM           236,441 p26s0cj7efo.dll
01/14/2006  01:40 AM           233,640 gp0ol3d31.dll
01/14/2006  01:18 AM    <DIR>          dllcache
01/14/2006  12:41 AM           235,679 u2rulc991f.dll
01/12/2006  05:52 AM             3,662 KGyGaAvL.sys
01/12/2006  05:52 AM               104 9F156B132F.sys
04/30/2005  04:06 PM    <DIR>          Microsoft
               8 File(s)      1,418,059 bytes
               2 Dir(s)   1,369,112,576 bytes free

 ------- Hidden Files in System32 Directory -------

 Volume in drive E has no label.
 Volume Serial Number is 280D-64FE

 Directory of E:\WINDOWS\System32

01/14/2006  01:18 AM    <DIR>          dllcache
01/14/2006  12:28 AM               488 WindowsLogon.manifest
01/14/2006  12:28 AM               488 logonui.exe.manifest
01/14/2006  12:28 AM               749 cdplayer.exe.manifest
01/14/2006  12:28 AM               749 ncpa.cpl.manifest
01/14/2006  12:28 AM               749 wuaucpl.cpl.manifest
01/14/2006  12:28 AM               749 nwc.cpl.manifest
01/14/2006  12:28 AM               749 sapi.cpl.manifest
01/12/2006  05:52 AM             3,662 KGyGaAvL.sys
01/12/2006  05:52 AM               104 9F156B132F.sys
               9 File(s)          8,487 bytes
               1 Dir(s)   1,369,108,480 bytes free

 ------------ Files Named "Guard" ---------------

 Volume in drive E has no label.
 Volume Serial Number is 280D-64FE

 Directory of E:\WINDOWS\System32


 ------ Temp Files in System32 Directory ------

 Volume in drive E has no label.
 Volume Serial Number is 280D-64FE

 Directory of E:\WINDOWS\System32

12/28/2005  09:54 PM           280,064 SET7.tmp
11/30/2005  11:05 PM         1,495,040 SETE.tmp
11/23/2005  08:07 PM         3,018,240 SET10.tmp
11/04/2005  10:34 PM           610,304 SETC.tmp
10/20/2005  10:38 PM           661,504 SETB.tmp
10/20/2005  10:38 PM           474,112 SETD.tmp
               6 File(s)      6,539,264 bytes
               0 Dir(s)   1,369,108,480 bytes free

 ------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{8D353AA5-AF92-7B00-23CD-814B5BDFA4BA}"=""


 ------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\browsela]
"DLLName"="E:\\WINDOWS\\system32\\browsela.dll"
"logoff"="WACLEventLogoff"
"lock"="WACLEventLock"
"logon"="WACLEventLogon"
"startup"="WACLEventStartup"
"shutdown"="WACLEventShutdown"
"startshell"="WACLEventStartShell"
"unlock"="WACLEventUnlock"
"startscreensaver"="WACLEventStartScreenSaver"
"stopscreensaver"="WACLEventStopScreenSaver"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="E:\\WINDOWS\\system32\\u2rulc991f.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


 ------------- Locate.com Results -------------

E:\WINDOWS\SYSTEM32\
   9f156b~1.sys   Thu Jan 12 2006   5:52:28a  ..SHR            104     0.10 K
   cdplay~1.man   Sat Jan 14 2006  12:28:10a  A..HR            749     0.73 K
   gp0ol3~1.dll   Sat Jan 14 2006   1:40:54a  ..S.R        233,640   228.16 K
   iqlmuchs.dll   Sat Jan 14 2006   4:33:58a  ..S.R        235,679   230.15 K
   kgygaavl.sys   Thu Jan 12 2006   5:52:30a  A.SH.          3,662     3.57 K
   logonu~1.man   Sat Jan 14 2006  12:28:16a  A..HR            488     0.48 K
   n6l8lg~1.dll   Sat Jan 14 2006   2:25:04a  ..S.R        235,679   230.15 K
   ncpacp~1.man   Sat Jan 14 2006  12:28:10a  A..HR            749     0.73 K
   nwccpl~1.man   Sat Jan 14 2006  12:28:10a  A..HR            749     0.73 K
   p26s0c~1.dll   Sat Jan 14 2006   2:24:02a  ..S.R        236,441   230.90 K
   p6r4lg~1.dll   Sat Jan 14 2006   4:33:58a  ..S.R        237,175   231.61 K
   sapicp~1.man   Sat Jan 14 2006  12:28:10a  A..HR            749     0.73 K
   u2rulc~1.dll   Sat Jan 14 2006  12:42:00a  ..S.R        235,679   230.15 K
   window~1.man   Sat Jan 14 2006  12:28:16a  A..HR            488     0.48 K
   wuaucp~1.man   Sat Jan 14 2006  12:28:10a  A..HR            749     0.73 K

15 items found:  15 files, 0 directories.
   Total of file sizes:  1,422,780 bytes      1.36 M

 -------- Strings.exe Qoologic Results --------


 --------- Strings.exe Aspack Results ---------

E:\WINDOWS\system32\d3dx9_25.dll: D3DXUVAtlasPack
E:\WINDOWS\system32\MRT.exe: (ASPack)
E:\WINDOWS\system32\MRT.exe: (AsPack2k)
E:\WINDOWS\system32\MRT.exe: (ASPack 1.00b)
E:\WINDOWS\system32\MRT.exe: (ASPack 2.1)
E:\WINDOWS\system32\MRT.exe: (ASPack 2.12)
E:\WINDOWS\system32\MRT.exe: (ASPack 2.11)
E:\WINDOWS\system32\MRT.exe: (ASPack 2.000)
E:\WINDOWS\system32\MRT.exe: (ASPack 2.001)
E:\WINDOWS\system32\MRT.exe: (ASPack 2.11x)
E:\WINDOWS\system32\MRT.exe: ASPack2000
E:\WINDOWS\system32\MRT.exe: ASPack 1.61
E:\WINDOWS\system32\MRT.exe: ASPack 1.084
E:\WINDOWS\system32\MRT.exe: ASPack 1.083
E:\WINDOWS\system32\MRT.exe: ASPack 1.08.02b
E:\WINDOWS\system32\MRT.exe: ASPack 1.07b
E:\WINDOWS\system32\MRT.exe: ASPack 1.05b
E:\WINDOWS\system32\MRT.exe: ASPack 1.02
E:\WINDOWS\system32\MRT.exe: ASPACK
E:\WINDOWS\system32\MRT.exe: aspACK
E:\WINDOWS\system32\MRT.exe: aspACK
E:\WINDOWS\system32\MRT.exe: aspACK
E:\WINDOWS\system32\MRT.exe: aspACK
E:\WINDOWS\system32\MRT.exe: aspACK
E:\WINDOWS\system32\MRT.exe: aspACK
E:\WINDOWS\system32\MRT.exe: aspACK

 -------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="E:\\WINDOWS\\system32\\LVCOMSX.EXE"
"ZCfgSvc.exe"="E:\\WINDOWS\\system32\\ZCfgSvc.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"SynTPEnh"="E:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"PRONoMgr.exe"="E:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"igfxtray"="E:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="E:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="E:\\WINDOWS\\system32\\igfxpers.exe"
"RegistryMechanic"=""
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

if there is anything else i can give to help you, just ask. again, thanks in advance
« Last Edit: January 15, 2006, 09:45:15 PM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Delf.AEO, Browsela.dll MAJOR problem
« Reply #1 on: January 15, 2006, 09:44:39 PM »
Sorry for the delay, can I see a fresh hijackthis log please
Just to make sure nothing has changed
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Filth

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Delf.AEO, Browsela.dll MAJOR problem
« Reply #2 on: January 17, 2006, 06:54:58 AM »
Logfile of HijackThis v1.99.1
Scan saved at 6:54:37 AM, on 1/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\S24EvMon.exe
E:\WINDOWS\system32\spoolsv.exe
c:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\WINDOWS\system32\RegSrvc.exe
c:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\LVCOMSX.EXE
E:\WINDOWS\system32\ZCfgSvc.exe
E:\WINDOWS\system32\1XConfig.exe
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\Spyware Doctor\sndoctor.exe
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\Explorer.EXE
C:\spyhelp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O4 - HKLM\..\Run: [LVCOMSX] E:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ZCfgSvc.exe] E:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SynTPEnh] E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - c:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - c:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChatENU/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: browsela - E:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: MS-DOS Emulation - E:\WINDOWS\system32\mv2ul9f91.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ewido security suite control - ewido networks - c:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - E:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - E:\WINDOWS\system32\S24EvMon.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - c:\Program Files\Spyware Doctor\sdhelp.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Delf.AEO, Browsela.dll MAJOR problem
« Reply #3 on: January 17, 2006, 12:04:08 PM »
Let's try this again
Ensure you do everything the way I post it!!!!
Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

Print the rest of this out or save too a notepad file on the desktop

Close all other open Windows, Including this one

Please disable SpywareDoctor's protections as it may/will interfere with any fixes we try:
To deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

Do a "System scan only" with Hijackthis and put a check next to these entries:

O20 - Winlogon Notify: browsela - E:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: MS-DOS Emulation - E:\WINDOWS\system32\mv2ul9f91.dll


Leave Hijackthis open, don't click Fix checked yet!

Open the win32delfkil folder and double click on fix.bat.
When it's done, don't reboot yet!

Go back to Hijackths and click FIX CHECKED
Ok the prompts and close Hijackthis

We want to shut down the computer
Make sure this is done, don't reboot automatically or manually
Instead
Don't use the normal means to shut down the computer
Use the Power button on the computer and hold it in to shut down
After you have shut down
Restart again

Post the contents of the logfile e:\windelf.txt, along with a new HijackThis log.

Additionally,
Delete your copy of L2Mfix.exe and the L2Mfix folder
Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT:  Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so! This Fix must NOT be run in safe mode for it to work.[/color]

if you receive, while running option #1, an error similar like: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first and letting me see a log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Delf.AEO, Browsela.dll MAJOR problem
« Reply #4 on: January 30, 2006, 12:06:17 AM »
Since the poster has not replied
I'm locking this topic
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »