Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 14 of 14 Posts

·
Registered
Joined
·
13 Posts
Discussion Starter · #1 ·
I ran spybot, adware and mcafee antivirus. I am still left with this.

Here is my hjt log

Logfile of HijackThis v1.99.0
Scan saved at 6:46:56 PM, on 1/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvuwp32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: kpfpuu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.frame.crazywinnings.com
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4411/mcfscan.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Thanks for any help you can give me
 

·
Administrator
Joined
·
123,574 Posts
Download http://www.mvps.org/winhelp2002/DelDomains.inf , rightclick and choose install to get rid of crazywinnings.

Click here: http://forums.techguy.org/attachment.php?attachmentid=46183 to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

Download the VX2Finder.exe tool. Click on the VX2Finder.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, the Guardian Key and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

http://www.downloads.subratam.org/VX2Finder.exe

Next click here: http://www.downloads.subratam.org/DllCompare.exe to download DLLCompare.zip.

Save it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

After you have posted all that info here, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry needed to remove will change as well as some of the file names will change and we will have to start all over.
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #4 ·
Here are the logs, I did not know if I should run HJT again. if so let me know.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\aatxprxy.dll Wed Jan 12 2005 4:35:32p ..S.R 225,761 220.47 K
C:\WINDOWS\SYSTEM32\alaamon.dll Wed Jan 12 2005 11:41:08p ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\bvowselc.dll Wed Jan 5 2005 12:51:12p ..S.R 223,326 218.09 K
C:\WINDOWS\SYSTEM32\cgb.dll Wed Jan 12 2005 12:00:02p ..S.R 223,756 218.51 K
C:\WINDOWS\SYSTEM32\cvdial32.dll Sat Jan 8 2005 1:13:28p ..S.R 223,756 218.51 K
C:\WINDOWS\SYSTEM32\d00mla~1.dll Wed Jan 12 2005 7:46:56p ..S.R 222,758 217.54 K
C:\WINDOWS\SYSTEM32\dcskcopy.dll Thu Jan 13 2005 11:24:08a ..S.R 224,082 218.83 K
C:\WINDOWS\SYSTEM32\dinetlib.dll Thu Jan 13 2005 11:17:22a ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\djrpsetu.dll Wed Jan 12 2005 8:09:36p ..S.R 225,761 220.47 K
C:\WINDOWS\SYSTEM32\dovvox.dll Mon Jan 3 2005 12:03:46p ..S.R 223,326 218.09 K
C:\WINDOWS\SYSTEM32\dsmsrpcn.dll Wed Jan 12 2005 11:28:58p ..S.R 224,176 218.92 K
C:\WINDOWS\SYSTEM32\dtdim700.dll Tue Dec 28 2004 5:47:28p ..S.R 224,668 219.40 K
C:\WINDOWS\SYSTEM32\dxdxof.dll Wed Jan 12 2005 10:50:12p ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\en48l1~1.dll Wed Jan 12 2005 10:39:30p ..S.R 225,761 220.47 K
C:\WINDOWS\SYSTEM32\en8ol1~1.dll Tue Jan 11 2005 8:39:06p ..S.R 223,756 218.51 K
C:\WINDOWS\SYSTEM32\gpn4l3~1.dll Thu Jan 13 2005 12:09:46p ..S.R 225,535 220.25 K
C:\WINDOWS\SYSTEM32\ihnathlp.dll Tue Jan 11 2005 10:50:08p ..S.R 224,000 218.75 K
C:\WINDOWS\SYSTEM32\inxrip.dll Wed Jan 12 2005 4:38:28p ..S.R 223,756 218.51 K
C:\WINDOWS\SYSTEM32\irjml5~1.dll Tue Jan 11 2005 9:28:08p ..S.R 224,871 219.60 K
C:\WINDOWS\SYSTEM32\k6jslg~1.dll Tue Jan 11 2005 9:31:30p ..S.R 225,472 220.19 K
C:\WINDOWS\SYSTEM32\kgdcr.dll Tue Jan 11 2005 9:33:38p ..S.R 223,756 218.51 K
C:\WINDOWS\SYSTEM32\l40ule~1.dll Thu Jan 13 2005 7:51:38a ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\lfk.dll Thu Jan 13 2005 11:52:28a ..S.R 224,936 219.66 K
C:\WINDOWS\SYSTEM32\lv2q09~1.dll Wed Jan 5 2005 12:58:12p ..S.R 223,326 218.09 K
C:\WINDOWS\SYSTEM32\lv4o09~1.dll Tue Jan 11 2005 7:02:34p ..S.R 225,719 220.43 K
C:\WINDOWS\SYSTEM32\m6rmlg~1.dll Thu Jan 13 2005 7:43:38a ..S.R 224,113 218.86 K
C:\WINDOWS\SYSTEM32\mdrecr40.dll Sun Jan 9 2005 7:43:36p ..S.R 223,756 218.51 K
C:\WINDOWS\SYSTEM32\mhricons.dll Thu Jan 13 2005 11:39:30a ..S.R 224,082 218.83 K
C:\WINDOWS\SYSTEM32\mqimg32.dll Wed Jan 12 2005 11:25:06p ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\mst2fw95.dll Thu Jan 13 2005 7:53:54a ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\msutil.dll Tue Jan 11 2005 9:28:08p ..S.R 223,756 218.51 K
C:\WINDOWS\SYSTEM32\mvaudite.dll Wed Jan 12 2005 10:14:12p ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\mvvcp71.dll Wed Jan 12 2005 1:14:04p ..S.R 225,761 220.47 K
C:\WINDOWS\SYSTEM32\mxsystem.dll Sun Dec 12 2004 11:29:54a ..S.R 224,668 219.40 K
C:\WINDOWS\SYSTEM32\n48o0e~1.dll Sun Dec 5 2004 8:54:12a ..S.R 223,616 218.38 K
C:\WINDOWS\SYSTEM32\noapi32.dll Wed Jan 12 2005 11:52:00p ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\r08s0a~1.dll Thu Jan 13 2005 5:05:48p ..S.R 224,082 218.83 K
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll Thu Jan 13 2005 12:20:16p ..S.R 225,052 219.78 K
C:\WINDOWS\SYSTEM32\siclogon.dll Wed Jan 12 2005 10:28:54p ..S.R 225,761 220.47 K
C:\WINDOWS\SYSTEM32\soclient.dll Thu Jan 13 2005 11:35:12a ..S.R 224,936 219.66 K
C:\WINDOWS\SYSTEM32\wihnetbs.dll Thu Jan 13 2005 7:43:38a ..S.R 222,917 217.69 K
C:\WINDOWS\SYSTEM32\wmn32spl.dll Wed Jan 12 2005 6:31:22p ..S.R 225,761 220.47 K
C:\WINDOWS\SYSTEM32\wsn32spl.dll Wed Jan 12 2005 11:47:24p ..S.R 224,176 218.92 K
________________________________________________

1,266 items found: 1,266 files (43 H/S), 0 directories.
Total of file sizes: 252,181,350 bytes 240.50 M

Administrator Account = True

--------------------End log---------------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Minnaman\Desktop\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 05:28 PM 225,682 guard.tmp
01/13/2005 05:05 PM 224,082 r08s0al7edq.dll
01/13/2005 12:20 PM 225,052 s0pu0a79ed.dll
01/13/2005 12:09 PM 225,535 gpn4l35q1.dll
01/13/2005 11:55 AM dllcache
01/13/2005 11:52 AM 224,936 lfk.dll
01/13/2005 11:39 AM 224,082 mhricons.dll
01/13/2005 11:35 AM 224,936 soclient.dll
01/13/2005 11:24 AM 224,082 dcskcopy.dll
01/13/2005 11:17 AM 222,917 DInetlib.dll
01/13/2005 07:53 AM 222,917 MST2FW95.DLL
01/13/2005 07:51 AM 222,917 l40uled91h0.dll
01/13/2005 07:43 AM 222,917 wihnetbs.dll
01/13/2005 07:43 AM 224,113 m6rmlg9116.dll
01/12/2005 11:51 PM 222,917 noapi32.dll
01/12/2005 11:47 PM 224,176 wsn32spl.dll
01/12/2005 11:41 PM 222,917 aLaamon.dll
01/12/2005 11:28 PM 224,176 dsmsrpcn.dll
01/12/2005 11:25 PM 222,917 mqimg32.dll
01/12/2005 10:50 PM 222,917 dXdxof.dll
01/12/2005 10:39 PM 225,761 en48l1hu1.dll
01/12/2005 10:28 PM 225,761 siclogon.dll
01/12/2005 10:14 PM 222,917 mvaudite.dll
01/12/2005 08:09 PM 225,761 djrpsetu.dll
01/12/2005 07:46 PM 222,758 d00mlad11d0.dll
01/12/2005 06:31 PM 225,761 wmn32spl.dll
01/12/2005 04:38 PM 223,756 inxrip.dll
01/12/2005 04:35 PM 225,761 aatxprxy.dll
01/12/2005 01:14 PM 225,761 mvvcp71.dll
01/12/2005 12:00 PM 223,756 cgb.dll
01/11/2005 10:50 PM 224,000 ihnathlp.dll
01/11/2005 09:33 PM 223,756 kgdcr.dll
01/11/2005 09:31 PM 225,472 k6jslg1716.dll
01/11/2005 09:28 PM 223,756 msutil.dll
01/11/2005 09:28 PM 224,871 irjml5111.dll
01/11/2005 08:39 PM 223,756 en8ol1l31.dll
01/11/2005 07:02 PM 225,719 lv4o09h3e.dll
01/09/2005 07:43 PM 223,756 mdrecr40.dll
01/08/2005 01:13 PM 223,756 cvdial32.dll
01/05/2005 12:58 PM 223,326 lv2q09f5e.dll
01/05/2005 12:51 PM 223,326 bvowselc.dll
01/03/2005 12:03 PM 223,326 dovvox.dll
12/28/2004 05:47 PM 224,668 dTdim700.dll
12/12/2004 11:29 AM 224,668 mxsystem.dll
12/05/2004 08:54 AM 223,616 n48o0el3ehq.dll
07/08/2002 12:53 AM Microsoft
44 File(s) 9,863,713 bytes
2 Dir(s) 87,167,803,392 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 11:55 AM dllcache
07/05/2002 08:23 AM 488 logonui.exe.manifest
07/05/2002 08:23 AM 488 WindowsLogon.manifest
07/05/2002 08:22 AM 749 wuaucpl.cpl.manifest
07/05/2002 08:22 AM 749 cdplayer.exe.manifest
07/05/2002 08:22 AM 749 sapi.cpl.manifest
07/05/2002 08:22 AM 749 nwc.cpl.manifest
07/05/2002 08:22 AM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 87,167,803,392 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 05:28 PM 225,682 guard.tmp
1 File(s) 225,682 bytes
0 Dir(s) 87,167,803,392 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 05:28 PM 225,682 guard.tmp
09/10/2004 09:57 PM 0 OLD1167.tmp
09/10/2004 09:57 PM 0 OLD1166.tmp
09/10/2004 09:57 PM 0 OLD1165.tmp
09/10/2004 09:57 PM 0 OLD115F.tmp
09/10/2004 09:57 PM 0 OLD1159.tmp
08/29/2002 09:14 AM 110,592 SET1090.tmp
08/29/2002 09:14 AM 98,816 SET106E.tmp
08/29/2002 09:14 AM 91,136 SET1070.tmp
08/29/2002 09:14 AM 62,976 SET1074.tmp
08/29/2002 09:14 AM 1,026,048 SET1076.tmp
08/29/2002 09:14 AM 187,392 SET107E.tmp
08/29/2002 09:14 AM 351,232 SET1080.tmp
08/29/2002 09:14 AM 231,424 SET1086.tmp
08/29/2002 09:14 AM 30,720 SET108C.tmp
08/29/2002 09:14 AM 292,352 SET108E.tmp
08/29/2002 09:14 AM 585,728 SET10C7.tmp
08/29/2002 09:14 AM 574,976 SET1096.tmp
08/29/2002 09:14 AM 2,786,816 SET109C.tmp
08/29/2002 09:14 AM 1,350,656 SET109E.tmp
08/29/2002 09:14 AM 434,688 SET10A0.tmp
08/29/2002 09:14 AM 132,096 SET10A8.tmp
08/29/2002 09:14 AM 59,904 SET10AA.tmp
08/29/2002 09:14 AM 68,608 SET10B0.tmp
08/29/2002 09:14 AM 533,504 SET10B7.tmp
08/29/2002 09:14 AM 1,338,368 SET10B9.tmp
08/29/2002 09:14 AM 22,528 SET10BB.tmp
08/29/2002 09:14 AM 395,264 SET10BD.tmp
08/29/2002 09:14 AM 106,496 SET10C1.tmp
08/29/2002 09:14 AM 482,816 SET10C3.tmp
08/29/2002 09:14 AM 258,048 SET10C5.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
32 File(s) 11,841,443 bytes
0 Dir(s) 87,167,795,200 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{252F8E03-C879-4246-8565-FC91E794A4A2}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\i006lads1d06.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
aatxprxy.dll Wed Jan 12 2005 4:35:32p ..S.R 225,761 220.47 K
alaamon.dll Wed Jan 12 2005 11:41:08p ..S.R 222,917 217.69 K
bvowselc.dll Wed Jan 5 2005 12:51:12p ..S.R 223,326 218.09 K
cgb.dll Wed Jan 12 2005 12:00:02p ..S.R 223,756 218.51 K
cvdial32.dll Sat Jan 8 2005 1:13:28p ..S.R 223,756 218.51 K
d00mla~1.dll Wed Jan 12 2005 7:46:56p ..S.R 222,758 217.54 K
dcskcopy.dll Thu Jan 13 2005 11:24:08a ..S.R 224,082 218.83 K
dinetlib.dll Thu Jan 13 2005 11:17:22a ..S.R 222,917 217.69 K
djrpsetu.dll Wed Jan 12 2005 8:09:36p ..S.R 225,761 220.47 K
dovvox.dll Mon Jan 3 2005 12:03:46p ..S.R 223,326 218.09 K
dsmsrpcn.dll Wed Jan 12 2005 11:28:58p ..S.R 224,176 218.92 K
dtdim700.dll Tue Dec 28 2004 5:47:28p ..S.R 224,668 219.40 K
dxdxof.dll Wed Jan 12 2005 10:50:12p ..S.R 222,917 217.69 K
en48l1~1.dll Wed Jan 12 2005 10:39:30p ..S.R 225,761 220.47 K
en8ol1~1.dll Tue Jan 11 2005 8:39:06p ..S.R 223,756 218.51 K
gpn4l3~1.dll Thu Jan 13 2005 12:09:46p ..S.R 225,535 220.25 K
guard.tmp Thu Jan 13 2005 5:28:48p ..S.R 225,682 220.39 K
ihnathlp.dll Tue Jan 11 2005 10:50:08p ..S.R 224,000 218.75 K
inxrip.dll Wed Jan 12 2005 4:38:28p ..S.R 223,756 218.51 K
irjml5~1.dll Tue Jan 11 2005 9:28:08p ..S.R 224,871 219.60 K
k6jslg~1.dll Tue Jan 11 2005 9:31:30p ..S.R 225,472 220.19 K
kgdcr.dll Tue Jan 11 2005 9:33:38p ..S.R 223,756 218.51 K
l40ule~1.dll Thu Jan 13 2005 7:51:38a ..S.R 222,917 217.69 K
lfk.dll Thu Jan 13 2005 11:52:28a ..S.R 224,936 219.66 K
lv2q09~1.dll Wed Jan 5 2005 12:58:12p ..S.R 223,326 218.09 K
lv4o09~1.dll Tue Jan 11 2005 7:02:34p ..S.R 225,719 220.43 K
m6rmlg~1.dll Thu Jan 13 2005 7:43:38a ..S.R 224,113 218.86 K
mdrecr40.dll Sun Jan 9 2005 7:43:36p ..S.R 223,756 218.51 K
mhricons.dll Thu Jan 13 2005 11:39:30a ..S.R 224,082 218.83 K
mqimg32.dll Wed Jan 12 2005 11:25:06p ..S.R 222,917 217.69 K
mst2fw95.dll Thu Jan 13 2005 7:53:54a ..S.R 222,917 217.69 K
msutil.dll Tue Jan 11 2005 9:28:08p ..S.R 223,756 218.51 K
mvaudite.dll Wed Jan 12 2005 10:14:12p ..S.R 222,917 217.69 K
mvvcp71.dll Wed Jan 12 2005 1:14:04p ..S.R 225,761 220.47 K
mxsystem.dll Sun Dec 12 2004 11:29:54a ..S.R 224,668 219.40 K
n48o0e~1.dll Sun Dec 5 2004 8:54:12a ..S.R 223,616 218.38 K
noapi32.dll Wed Jan 12 2005 11:52:00p ..S.R 222,917 217.69 K
r08s0a~1.dll Thu Jan 13 2005 5:05:48p ..S.R 224,082 218.83 K
s0pu0a~1.dll Thu Jan 13 2005 12:20:16p ..S.R 225,052 219.78 K
siclogon.dll Wed Jan 12 2005 10:28:54p ..S.R 225,761 220.47 K
soclient.dll Thu Jan 13 2005 11:35:12a ..S.R 224,936 219.66 K
wihnetbs.dll Thu Jan 13 2005 7:43:38a ..S.R 222,917 217.69 K
wmn32spl.dll Wed Jan 12 2005 6:31:22p ..S.R 225,761 220.47 K
wsn32spl.dll Wed Jan 12 2005 11:47:24p ..S.R 224,176 218.92 K

44 items found: 44 files, 0 directories.
Total of file sizes: 9,863,713 bytes 9.41 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\iusuoo.dll: updates.qoologic.com
C:\WINDOWS\system32\lmxmzz.exe: updates.qoologic.com
C:\WINDOWS\system32\lzizyy.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\voqoii.exe: .aspack
C:\WINDOWS\system32\wygyaa.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kpfpuu.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"WFXSwtch"="C:\\PROGRA~1\\NORTON~1\\WinFax\\WFXSWTCH.exe"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SpyFighterMonitor"="\"C:\\Program Files\\SpyFighter\\SpyFighterScanner.exe\" monitor"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskDetct.exe /startup"
"kalvsys"="c:\\windows\\system32\\kalvuwp32.exe"
"Narrator"="C:\\WINDOWS\\System32\\voqoii.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
NetCache

Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown

Guardian Key--- :

User Agent String---
{252F8E03-C879-4246-8565-FC91E794A4A2}
 

·
Administrator
Joined
·
123,574 Posts
Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip the file to your desktop.

Click here: http://www.downloads.subratam.org/KillBox.exe to download Pocket KillBox.

Unzip the files to the folder of your choice.

Also I am attaching a fix.zip file to this post. Download fix.zip to your desktop and unzip it.

IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

Double click on the fix.reg file to enter into the registry. Answer yes when asked to have its contents added to the registry.

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Double-click on Killbox.exe to run it. Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confirmation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM32\aatxprxy.dll
C:\WINDOWS\SYSTEM32\alaamon.dll
C:\WINDOWS\SYSTEM32\bvowselc.dll
C:\WINDOWS\SYSTEM32\cgb.dll
C:\WINDOWS\SYSTEM32\cvdial32.dll
C:\WINDOWS\SYSTEM32\d00mla~1.dll
C:\WINDOWS\SYSTEM32\dcskcopy.dll
C:\WINDOWS\SYSTEM32\dinetlib.dll
C:\WINDOWS\SYSTEM32\djrpsetu.dll
C:\WINDOWS\SYSTEM32\dovvox.dll
C:\WINDOWS\SYSTEM32\dsmsrpcn.dll
C:\WINDOWS\SYSTEM32\dtdim700.dll
C:\WINDOWS\SYSTEM32\dxdxof.dll
C:\WINDOWS\SYSTEM32\en48l1~1.dll
C:\WINDOWS\SYSTEM32\en8ol1~1.dll
C:\WINDOWS\SYSTEM32\gpn4l3~1.dll
C:\WINDOWS\SYSTEM32\guard.tmp
C:\WINDOWS\SYSTEM32\ihnathlp.dll
C:\WINDOWS\SYSTEM32\inxrip.dll
C:\WINDOWS\SYSTEM32\irjml5~1.dll
C:\WINDOWS\SYSTEM32\k6jslg~1.dll
C:\WINDOWS\SYSTEM32\kgdcr.dll
C:\WINDOWS\SYSTEM32\l40ule~1.dll
C:\WINDOWS\SYSTEM32\lfk.dll Thu Jan
C:\WINDOWS\SYSTEM32\lv2q09~1.dll
C:\WINDOWS\SYSTEM32\lv4o09~1.dll
C:\WINDOWS\SYSTEM32\m6rmlg~1.dll
C:\WINDOWS\SYSTEM32\mdrecr40.dll
C:\WINDOWS\SYSTEM32\mhricons.dll
C:\WINDOWS\SYSTEM32\mqimg32.dll
C:\WINDOWS\SYSTEM32\mst2fw95.dll
C:\WINDOWS\SYSTEM32\msutil.dll
C:\WINDOWS\SYSTEM32\mvaudite.dll
C:\WINDOWS\SYSTEM32\mvvcp71.dll
C:\WINDOWS\SYSTEM32\mxsystem.dll
C:\WINDOWS\SYSTEM32\n48o0e~1.dll
C:\WINDOWS\SYSTEM32\noapi32.dll
C:\WINDOWS\SYSTEM32\r08s0a~1.dll
C:\WINDOWS\SYSTEM32\s0pu0a~1.dll
C:\WINDOWS\SYSTEM32\siclogon.dll
C:\WINDOWS\SYSTEM32\soclient.dll
C:\WINDOWS\SYSTEM32\wihnetbs.dll
C:\WINDOWS\SYSTEM32\wmn32spl.dll
C:\WINDOWS\SYSTEM32\wsn32spl.dll

C:\WINDOWS\system32\iusuoo.dll
C:\WINDOWS\system32\lmxmzz.exe
C:\WINDOWS\system32\lzizyy.dll
C:\WINDOWS\system32\voqoii.exe
C:\WINDOWS\system32\wygyaa.dat


Note: If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #8 ·
i did all that you said. My mcafee said it found a virus and recommends I run a full scan. Should I do it. I did not know if it would mess up what you are helping me with.

Also now when I open a program it appears on the right side of the taskbar. How do i get it back to the left side?

Here are my new logs as requested.

thanks

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Minnaman\Desktop\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 11:55 AM dllcache
01/13/2005 11:52 AM 224,936 lfk.dll
07/08/2002 12:53 AM Microsoft
1 File(s) 224,936 bytes
2 Dir(s) 87,214,067,712 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 11:55 AM dllcache
07/05/2002 08:23 AM 488 logonui.exe.manifest
07/05/2002 08:23 AM 488 WindowsLogon.manifest
07/05/2002 08:22 AM 749 wuaucpl.cpl.manifest
07/05/2002 08:22 AM 749 cdplayer.exe.manifest
07/05/2002 08:22 AM 749 sapi.cpl.manifest
07/05/2002 08:22 AM 749 nwc.cpl.manifest
07/05/2002 08:22 AM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 87,214,067,712 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/17/2005 07:18 PM 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 87,214,067,712 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/17/2005 07:18 PM 56 guard.tmp
09/10/2004 09:57 PM 0 OLD1167.tmp
09/10/2004 09:57 PM 0 OLD1166.tmp
09/10/2004 09:57 PM 0 OLD1165.tmp
09/10/2004 09:57 PM 0 OLD115F.tmp
09/10/2004 09:57 PM 0 OLD1159.tmp
08/29/2002 09:14 AM 110,592 SET1090.tmp
08/29/2002 09:14 AM 98,816 SET106E.tmp
08/29/2002 09:14 AM 91,136 SET1070.tmp
08/29/2002 09:14 AM 62,976 SET1074.tmp
08/29/2002 09:14 AM 1,026,048 SET1076.tmp
08/29/2002 09:14 AM 187,392 SET107E.tmp
08/29/2002 09:14 AM 351,232 SET1080.tmp
08/29/2002 09:14 AM 231,424 SET1086.tmp
08/29/2002 09:14 AM 30,720 SET108C.tmp
08/29/2002 09:14 AM 292,352 SET108E.tmp
08/29/2002 09:14 AM 585,728 SET10C7.tmp
08/29/2002 09:14 AM 574,976 SET1096.tmp
08/29/2002 09:14 AM 2,786,816 SET109C.tmp
08/29/2002 09:14 AM 1,350,656 SET109E.tmp
08/29/2002 09:14 AM 434,688 SET10A0.tmp
08/29/2002 09:14 AM 132,096 SET10A8.tmp
08/29/2002 09:14 AM 59,904 SET10AA.tmp
08/29/2002 09:14 AM 68,608 SET10B0.tmp
08/29/2002 09:14 AM 533,504 SET10B7.tmp
08/29/2002 09:14 AM 1,338,368 SET10B9.tmp
08/29/2002 09:14 AM 22,528 SET10BB.tmp
08/29/2002 09:14 AM 395,264 SET10BD.tmp
08/29/2002 09:14 AM 106,496 SET10C1.tmp
08/29/2002 09:14 AM 482,816 SET10C3.tmp
08/29/2002 09:14 AM 258,048 SET10C5.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
32 File(s) 11,615,817 bytes
0 Dir(s) 87,214,059,520 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{252F8E03-C879-4246-8565-FC91E794A4A2}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r08s0al7edq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
lfk.dll Thu Jan 13 2005 11:52:28a ..S.R 224,936 219.66 K

1 item found: 1 file, 0 directories.
Total of file sizes: 224,936 bytes 219.66 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kpfpuu.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"WFXSwtch"="C:\\PROGRA~1\\NORTON~1\\WinFax\\WFXSWTCH.exe"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SpyFighterMonitor"="\"C:\\Program Files\\SpyFighter\\SpyFighterScanner.exe\" monitor"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskDetct.exe /startup"
"Narrator"="C:\\WINDOWS\\System32\\voqoii.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Logfile of HijackThis v1.99.0
Scan saved at 7:40:12 PM, on 1/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kpfpuu.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\voqoii.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: kpfpuu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4411/mcfscan.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
 

·
Administrator
Joined
·
123,574 Posts
I will attach a new fix as a file has changed. Please hold off doing the mcAfee scan until we're finished and we will fix any other problems at the end.

I will post back shortly.
 

·
Administrator
Joined
·
123,574 Posts
I am attaching a fix2.zip file to this post. Download fix2.zip to your desktop and unzip it.

IMPORTANT!: Before you continue, close ALL running programs. Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access.

Double click on the fix2.reg file to enter into the registry. Answer yes when asked to have its contents added to the registry.

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Double-click on Killbox.exe to run it. Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confirmation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\guard.tmp
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\kpfpuu.exe
C:\WINDOWS\system32\r08s0al7edq.dll


Note: If KillBox tells you the file cannot be deleted, then put a tick by Delete on Reboot for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "Restore Policy" button.

Now restart your computer.

Finally, run Find.bat again. Let it run as you did before and it will produce another output.txt file. When it is finished, hit any key to close find.bat. When you close find.bat it will ask you if you want to save the changes to output.txt. Click Yes and post the contents of the new output.txt file here along with a new Hijack This log.

Again I remind you, it is very important that you do not restart your computer until we have proceeded to the directions for removal. If you restart your computer, the registry entry we need to remove will change as well as some of the file names will change and we will have to start all over.
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #11 ·
Here are my two logs as you requested. Thanks for all the help.

Logfile of HijackThis v1.99.0
Scan saved at 10:01:26 PM, on 1/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighterScanner.exe" monitor
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\System32\voqoii.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: kpfpuu.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4411/mcfscan.cab
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Minnaman\Desktop\Find It NT-2K-XP\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 11:55 AM dllcache
01/13/2005 11:52 AM 224,936 lfk.dll
07/08/2002 12:53 AM Microsoft
1 File(s) 224,936 bytes
2 Dir(s) 87,214,305,280 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/13/2005 11:55 AM dllcache
07/05/2002 08:23 AM 488 logonui.exe.manifest
07/05/2002 08:23 AM 488 WindowsLogon.manifest
07/05/2002 08:22 AM 749 wuaucpl.cpl.manifest
07/05/2002 08:22 AM 749 cdplayer.exe.manifest
07/05/2002 08:22 AM 749 sapi.cpl.manifest
07/05/2002 08:22 AM 749 nwc.cpl.manifest
07/05/2002 08:22 AM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 87,214,305,280 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/17/2005 09:41 PM 56 guard.tmp
1 File(s) 56 bytes
0 Dir(s) 87,214,305,280 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is E860-EF96

Directory of C:\WINDOWS\System32

01/17/2005 09:41 PM 56 guard.tmp
09/10/2004 09:57 PM 0 OLD1167.tmp
09/10/2004 09:57 PM 0 OLD1166.tmp
09/10/2004 09:57 PM 0 OLD1165.tmp
09/10/2004 09:57 PM 0 OLD115F.tmp
09/10/2004 09:57 PM 0 OLD1159.tmp
08/29/2002 09:14 AM 110,592 SET1090.tmp
08/29/2002 09:14 AM 98,816 SET106E.tmp
08/29/2002 09:14 AM 91,136 SET1070.tmp
08/29/2002 09:14 AM 62,976 SET1074.tmp
08/29/2002 09:14 AM 1,026,048 SET1076.tmp
08/29/2002 09:14 AM 187,392 SET107E.tmp
08/29/2002 09:14 AM 351,232 SET1080.tmp
08/29/2002 09:14 AM 231,424 SET1086.tmp
08/29/2002 09:14 AM 30,720 SET108C.tmp
08/29/2002 09:14 AM 292,352 SET108E.tmp
08/29/2002 09:14 AM 585,728 SET10C7.tmp
08/29/2002 09:14 AM 574,976 SET1096.tmp
08/29/2002 09:14 AM 2,786,816 SET109C.tmp
08/29/2002 09:14 AM 1,350,656 SET109E.tmp
08/29/2002 09:14 AM 434,688 SET10A0.tmp
08/29/2002 09:14 AM 132,096 SET10A8.tmp
08/29/2002 09:14 AM 59,904 SET10AA.tmp
08/29/2002 09:14 AM 68,608 SET10B0.tmp
08/29/2002 09:14 AM 533,504 SET10B7.tmp
08/29/2002 09:14 AM 1,338,368 SET10B9.tmp
08/29/2002 09:14 AM 22,528 SET10BB.tmp
08/29/2002 09:14 AM 395,264 SET10BD.tmp
08/29/2002 09:14 AM 106,496 SET10C1.tmp
08/29/2002 09:14 AM 482,816 SET10C3.tmp
08/29/2002 09:14 AM 258,048 SET10C5.tmp
08/23/2001 07:00 AM 2,577 CONFIG.TMP
32 File(s) 11,615,817 bytes
0 Dir(s) 87,214,297,088 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
lfk.dll Thu Jan 13 2005 11:52:28a ..S.R 224,936 219.66 K

1 item found: 1 file, 0 directories.
Total of file sizes: 224,936 bytes 219.66 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"WFXSwtch"="C:\\PROGRA~1\\NORTON~1\\WinFax\\WFXSWTCH.exe"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SpyFighterMonitor"="\"C:\\Program Files\\SpyFighter\\SpyFighterScanner.exe\" monitor"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskDetct.exe /startup"
"Narrator"="C:\\WINDOWS\\System32\\voqoii.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


 

·
Administrator
Joined
·
123,574 Posts
Double-click on Killbox.exe to run it. Now put a tick by Replace on Reboot. Under that also put a check in the box by Use Dummy. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confirmation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\lfk.dll


Run Find.bat and post a new log from it.

Run Hijack This again and post a new log from it.

Next open Hijack This. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)" and "List empty sections (Complete)". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here as well.

Click here: http://forums.techguy.org/attachment.php?attachmentid=45151 to download Runkey.zip. Unzip it and then doubleclick on RunKey.bat. It will produce a Both.txt file. Please copy and paste that here.

Click here: http://forums.techguy.org/attachment.php?attachmentid=44795 to download Silentrunners.zip.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it is finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

Click here: http://forums.techguy.org/attachment.php?attachmentid=46218 to download track.zip. Unzip it to your desktop. Doubleclick on the track.vbs file and let it run. After it runs it will tell you to press any key to continue. Press any key and it will open a Look.txt file. Copy that and post it here as well. As I said with the last script you may get a warning. It is not malicious so you can allow it to run.

*Note: There will be more here than you can post in one reply so it will be easier to just copy all the logs to one notepad file and name it info.txt. Save the file to your desktop and then attach it to your next post.
 

·
Administrator
Joined
·
123,574 Posts
Yes, you need to reboot and post a new log from findit.bat. We need to see if the guard.tmp file is gone and the Killbox was to delete it on reboot.

Actually it would be better if you post an entire set of new logs just in case something has changed.
 
1 - 14 of 14 Posts
Status
Not open for further replies.
Top