Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #1 ·
about:blank, Bloodhound

current problems: about:blank; unable to access internet / unable to locate server; PC's ip address is reported as 0.0.0.0 .

; bloodhound.w32.ep

Problem presented as smitfraud.b desktop & NAV identifying c:\windows\system32\wininet.dll as infected with Bloodhound.w32.ep

Lots of porn sites

Windows XP Home SP1
Norton 2004
Earthlink DSL; no firewall
Spybot & Ad-Aware, out of date for > 6 months.

Things I have done, attempting to fix problem.
installed spybot 1.4; ad-aware se [ downloaded 6 june ]; spywareblaster 3.4; spywareguard; HJT 1.99.1; CWShredder 2.15 ;
about-buster 5.0; killbox 2.0.0.175 ; winsockfix 1.1.0.13 ; LSPfix 1.0.0.0 ; Microsoft AntiSpyware installed, but unable to

obtain latest updates [ unable to access internet, as stated above ].

spybot & ad-aware [ each with latest updates ] found a number of offenders; all items were removed.

replaced notepad.exe in C:\windows & C:\windows\system32 with copies from the dllcache

about-buster kept identifying c:\_default "random characters". File is listed as _default.bat, in Windows Explorer. But

when I checked its properties, it is _default.pif. I moved the file to the desktop.

I've used killbox to delete wininet.dll & snhlog.exe , but they keep coming back.

I've run HJT in normal mode & safe mode; CWS in normal & safe; about-buster in normal & safe.

most recent HJT scan [ run in safe mode ]
+++++

Logfile of HijackThis v1.99.1
Scan saved at 7:23:47 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\S3apphk.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\utilities_22_June_05\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

(file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program

Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program

Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe

++++++

at present, I have transferred the hard disk drive to another computer; I'm at f-secure, scanning. I tried to scan at ravantivirus & kaparsky; each site would only let me scan a single file. When I selected wininet.dll, the sites returned an error message that the scan failed. I couldn't find avg's online scan; perhaps there isn't one.

research:
http://forums.techguy.org/t266238.html
regards bloodhound.w32.ep
 

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #2 ·
++++

about-buster log [appended by about-buster ]

*******
AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [4:02:03 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\002352_.tmp:gtmvcr
Removed Stream! C:\WINDOWS\002352_.tmp:yrbcfe
Removed Stream! C:\WINDOWS\aerro.log:baluoc
Removed Stream! C:\WINDOWS\anxar.log:tbvijf
Removed Stream! C:\WINDOWS\anxar.log:xuptww
Removed Stream! C:\WINDOWS\aucfg.ini:ytwbec
Removed Stream! C:\WINDOWS\AuHCcup1.ini:cnayox
Removed Stream! C:\WINDOWS\AuHCcup1.ini:iqbzlu
Removed Stream! C:\WINDOWS\AuthMgr.INI:qvhgqh
Removed Stream! C:\WINDOWS\azjky.log:ttxswb
Removed Stream! C:\WINDOWS\Belt.ini:rupoze
Removed Stream! C:\WINDOWS\bfoes.txt:rzipwq
Removed Stream! C:\WINDOWS\bfoes.txt:vokmii
Removed Stream! C:\WINDOWS\bfoes.txt:ygmjyq
Removed Stream! C:\WINDOWS\bootstat.dat:cabuys
Removed Stream! C:\WINDOWS\bootstat.dat:inalsj
Removed Stream! C:\WINDOWS\bootstat.dat:npdrkk
Removed Stream! C:\WINDOWS\bootstat.dat:rcuwfj
Removed Stream! C:\WINDOWS\bqmcp.txt:enalso
Removed Stream! C:\WINDOWS\braks.dat:iipcuc
Removed Stream! C:\WINDOWS\braks.dat:tkmshg
Removed Stream! C:\WINDOWS\bsx32.ini:gpvwev
Removed Stream! C:\WINDOWS\bsx32.ini:kcvkzo
Removed Stream! C:\WINDOWS\bvqlh.txt:lkfxbr
Removed Stream! C:\WINDOWS\bvqlh.txt:wotquz
Removed Stream! C:\WINDOWS\bysites.dat:ubtatd
Removed Stream! C:\WINDOWS\cdqeb.txt:coszvz
Removed Stream! C:\WINDOWS\cdqeb.txt:eccfpy
Removed Stream! C:\WINDOWS\cdqeb.txt:ljavqp
Removed Stream! C:\WINDOWS\clock.avi:nrjowx
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:nbefvn
Removed Stream! C:\WINDOWS\COM+.log:cdfpbe
Removed Stream! C:\WINDOWS\COM+.log:iwfevv
Removed Stream! C:\WINDOWS\comsetup.log:fsctzh
Removed Stream! C:\WINDOWS\cqzjl.txt:lsgdpz
Removed Stream! C:\WINDOWS\cxaze.log:eek:axmsf
Removed Stream! C:\WINDOWS\cyqqx.log:elyisk
Removed Stream! C:\WINDOWS\dahotfix.log:aerror
Removed Stream! C:\WINDOWS\dahotfix.log:uepueh
Removed Stream! C:\WINDOWS\dajqb.log:sxqihx
Removed Stream! C:\WINDOWS\dcfix.txt:lyboci
Removed Stream! C:\WINDOWS\ddbhy.txt:korrhm
Removed Stream! C:\WINDOWS\desktop.ini:cdhnhb
Removed Stream! C:\WINDOWS\desktop.ini:neriql
Removed Stream! C:\WINDOWS\desktop.ini:pmbtow
Removed Stream! C:\WINDOWS\Digital Signature 20040507.htm:dyutws
Removed Stream! C:\WINDOWS\Digital Signature 20040507.htm:nfizyr
Removed Stream! C:\WINDOWS\Digital Signature 20040507.htm:qtfmvu
Removed Stream! C:\WINDOWS\Digital Signature 20040507.htm:tfkxit
Removed Stream! C:\WINDOWS\dlvqg.txt:dpkwbw
Removed Stream! C:\WINDOWS\doalo.dat:lppbih
Removed Stream! C:\WINDOWS\doalo.dat:udstbm
Removed Stream! C:\WINDOWS\DtcInstall.log:wzmgyc
Removed Stream! C:\WINDOWS\duyci.txt:anflkj
Removed Stream! C:\WINDOWS\dxjny.txt:buxrpe
Removed Stream! C:\WINDOWS\dxjny.txt:lfccle
Removed Stream! C:\WINDOWS\ebscj.log:fkdxwn
Removed Stream! C:\WINDOWS\eelyn.dat:nekgvo
Removed Stream! C:\WINDOWS\efkbb.txt:allykw
Removed Stream! C:\WINDOWS\efkbb.txt:rsjfog
Removed Stream! C:\WINDOWS\emigg.log:ykwcqp
Removed Stream! C:\WINDOWS\encyb.log:ffdlxy
Removed Stream! C:\WINDOWS\ERegClnt.INI:egnpfo
Removed Stream! C:\WINDOWS\ERegClnt.INI:gwuszl
Removed Stream! C:\WINDOWS\ERegClnt.INI:njryoe
Removed Stream! C:\WINDOWS\ERegClnt.INI:rbfroc
Removed Stream! C:\WINDOWS\etbca.dat:qlghta
Removed Stream! C:\WINDOWS\ewjqn.dat:cmuxlb
Removed Stream! C:\WINDOWS\fbljm.txt:ieznnk
Removed Stream! C:\WINDOWS\fbljm.txt:nnfdne
Removed Stream! C:\WINDOWS\fbljm.txt:zxnfbv
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:fkcljp
Removed Stream! C:\WINDOWS\fmhid.txt:kchlwx
Removed Stream! C:\WINDOWS\fmhid.txt:lcxcfd
Removed Stream! C:\WINDOWS\fsctz.dat:vrobup
Removed Stream! C:\WINDOWS\GatorPdpSetup.log:cyqqxi
Removed Stream! C:\WINDOWS\GatorUninstaller_cme.log:veqdjn
Removed Stream! C:\WINDOWS\GatorUninstaller_cme_u.log:afmysb
Removed Stream! C:\WINDOWS\GetServer.ini:urivrt
Removed Stream! C:\WINDOWS\ggrow.dat:cibifq
Removed Stream! C:\WINDOWS\ggrow.dat:jtrppj
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:zxkuve
Removed Stream! C:\WINDOWS\gqjau.dat:vlrxrz
Removed Stream! C:\WINDOWS\Greenstone.bmp:fguoga
Removed Stream! C:\WINDOWS\Greenstone.bmp:qlnwfb
Removed Stream! C:\WINDOWS\Greenstone.bmp:ujmnzt
Removed Stream! C:\WINDOWS\hdcat.txt:sydhpo
Removed Stream! C:\WINDOWS\hgifp.txt:mkesbd
Removed Stream! C:\WINDOWS\hgifp.txt:qhmbak
Removed Stream! C:\WINDOWS\hgifp.txt:thwwhr
Removed Stream! C:\WINDOWS\hhbbo.log:ggrowm
Removed Stream! C:\WINDOWS\hhbbo.log:kzvmsr
Removed Stream! C:\WINDOWS\hicay.dat:dipkjb
Removed Stream! C:\WINDOWS\hphinfs.dat:eflteq
Removed Stream! C:\WINDOWS\HPOCSS05.INI:flxgvn
Removed Stream! C:\WINDOWS\HPOCSS05.INI:vvnvky
Removed Stream! C:\WINDOWS\HPODJC05.INI:syoymx
Removed Stream! C:\WINDOWS\hpoins03.dat.temp:hsaebl
Removed Stream! C:\WINDOWS\hpomdl03.dat:rhugsz
Removed Stream! C:\WINDOWS\HPOTBX05.INI:gwqngl
Removed Stream! C:\WINDOWS\hzars.log:zbkddf
Removed Stream! C:\WINDOWS\IE4 Error Log.txt:kimmvj
Removed Stream! C:\WINDOWS\IE4 Error Log.txt:eek:tbszs
Removed Stream! C:\WINDOWS\ilqws.dat:ypitjv
Removed Stream! C:\WINDOWS\imsins.BAK:gmuxbu
Removed Stream! C:\WINDOWS\imsins.BAK:kcdixp
Removed Stream! C:\WINDOWS\ineux.log:hicayo
Removed Stream! C:\WINDOWS\itenp.dat:jqbgdx
Removed Stream! C:\WINDOWS\ivtjp.log:vbpxfw
Removed Stream! C:\WINDOWS\iyqxb.dat:larkya
Removed Stream! C:\WINDOWS\jautoexp.dat:rnxqyp
Removed Stream! C:\WINDOWS\jgsbl.dat:koqvsr
Removed Stream! C:\WINDOWS\jgsbl.dat:skfsub
Removed Stream! C:\WINDOWS\jmrys.log:yvlvvt
Removed Stream! C:\WINDOWS\jyqlm.log:dgwfml
Removed Stream! C:\WINDOWS\jzhkg.log:hxfnmc
Removed Stream! C:\WINDOWS\jzhkg.log:lkyypl
Removed Stream! C:\WINDOWS\jzhkg.log:vcvunv
Removed Stream! C:\WINDOWS\kaebl.log:iwwbpd
Removed Stream! C:\WINDOWS\kaebl.log:qzbzla
Removed Stream! C:\WINDOWS\kaqpn.dat:axyaom
Removed Stream! C:\WINDOWS\KB823182.log:batenk
Removed Stream! C:\WINDOWS\KB823980.log:gossqf
Removed Stream! C:\WINDOWS\KB824105.log:mbuulg
Removed Stream! C:\WINDOWS\KB824105.log:syifiw
Removed Stream! C:\WINDOWS\KB824141.log:dlqdrv
Removed Stream! C:\WINDOWS\KB824141.log:tbmshn
Removed Stream! C:\WINDOWS\KB824141.log:xmonkg
Removed Stream! C:\WINDOWS\KB825119.log:ihsart
Removed Stream! C:\WINDOWS\KB826939.log:fcninr
Removed Stream! C:\WINDOWS\KB828035.log:dzblkz
Removed Stream! C:\WINDOWS\KB828035.log:epzdmo
Removed Stream! C:\WINDOWS\KB828035.log:mcwxjx
Removed Stream! C:\WINDOWS\KB828035.log:pmhbei
Removed Stream! C:\WINDOWS\KB828741.log:rtisvb
Removed Stream! C:\WINDOWS\KB835732.log:aestgv
Removed Stream! C:\WINDOWS\KB835732.log:pdfnhb
Removed Stream! C:\WINDOWS\KB837001.log:insgzt
Removed Stream! C:\WINDOWS\KB840374.log:pqrior
Removed Stream! C:\WINDOWS\kffvs.txt:hqcwjb
Removed Stream! C:\WINDOWS\kjlcy.log:zrvblm
Removed Stream! C:\WINDOWS\knhqd.txt:wlpwge
Removed Stream! C:\WINDOWS\kwnsm.log:aoklbd
Removed Stream! C:\WINDOWS\lbmuv.log:hfagcr
Removed Stream! C:\WINDOWS\lejrh.dat:jdzykl
Removed Stream! C:\WINDOWS\lfjdh.txt:ktflne
Removed Stream! C:\WINDOWS\lpiso.log:tfczaf
Removed Stream! C:\WINDOWS\LPT$VPN.891:cerdmv
Removed Stream! C:\WINDOWS\LPT$VPN.891:sgdzym
Removed Stream! C:\WINDOWS\LPT$VPN.891:unzwny
Removed Stream! C:\WINDOWS\LPT$VPN.891:uuldso
Removed Stream! C:\WINDOWS\LUINSTALL.LOG:idqsje
Removed Stream! C:\WINDOWS\lwfat.txt:mfkjhy
Removed Stream! C:\WINDOWS\mbchl.dat:mojbhj
Removed Stream! C:\WINDOWS\mcdzw.txt:vuidkr
Removed Stream! C:\WINDOWS\ModemLog_Lucent Win Modem.txt:fpcgjt
Removed Stream! C:\WINDOWS\ModemLog_Lucent Win Modem.txt:mveqmz
Removed Stream! C:\WINDOWS\mogcz.txt:nvbjeb
Removed Stream! C:\WINDOWS\msdfmap.ini:dgvevq
Removed Stream! C:\WINDOWS\nhpue.txt:fologm
Removed Stream! C:\WINDOWS\nstqi.txt:pqfzgg
Removed Stream! C:\WINDOWS\ntdtcsetup.log:jcdxxo
Removed Stream! C:\WINDOWS\n_delrbb.log:yhvcap
Removed Stream! C:\WINDOWS\n_hzkxeu.txt:rhoicr
Removed Stream! C:\WINDOWS\n_mzohuo.log:jihnwb
Removed Stream! C:\WINDOWS\ocgen.log:bdwdrz
Removed Stream! C:\WINDOWS\ocmsn.log:xfxori
Removed Stream! C:\WINDOWS\ODBCINST.INI:eek:zyxrc
Removed Stream! C:\WINDOWS\OEWABLog.txt:megilj
Removed Stream! C:\WINDOWS\ondhu.log:hgsytu
Removed Stream! C:\WINDOWS\orun32.isu:efznol
Removed Stream! C:\WINDOWS\oufxe.dat:zhldwe
Removed Stream! C:\WINDOWS\ozfoa.txt:hishza
Removed Stream! C:\WINDOWS\pavsig.txt:siviqh
Removed Stream! C:\WINDOWS\pmbto.dat:scwavv
Removed Stream! C:\WINDOWS\pqgsp.dat:kjowkr
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:ivnsia
Removed Stream! C:\WINDOWS\Q308387.log:ddhlri
Removed Stream! C:\WINDOWS\Q308387.log:vrwhov
Removed Stream! C:\WINDOWS\Q309521.log:nspnqf
Removed Stream! C:\WINDOWS\Q309691.log:sjelkm
Removed Stream! C:\WINDOWS\Q311889.log:fszskq
Removed Stream! C:\WINDOWS\Q311889.log:nciavy
Removed Stream! C:\WINDOWS\Q819696.log:lmldvz
Removed Stream! C:\WINDOWS\Q828026.log:ylsfms
Removed Stream! C:\WINDOWS\qgzen.log:qjmwim
Removed Stream! C:\WINDOWS\qgzen.log:vkpehz
Removed Stream! C:\WINDOWS\rcuwf.log:cghfni
Removed Stream! C:\WINDOWS\rcuwf.log:hiicfi
Removed Stream! C:\WINDOWS\REGLOCS.OLD:jkfbco
Removed Stream! C:\WINDOWS\regopt.log:gespdu
Removed Stream! C:\WINDOWS\Rhododendron.bmp:blpofz
Removed Stream! C:\WINDOWS\rkmof.dat:zsxtrf
Removed Stream! C:\WINDOWS\rmbsn.dat:ielkzi
Removed Stream! C:\WINDOWS\SchedLgU.Txt:mcdzwm
Removed Stream! C:\WINDOWS\SchedLgU.Txt:tgwdvd
Removed Stream! C:\WINDOWS\sessmgr.setup.log:sqoabo
Removed Stream! C:\WINDOWS\setupact.log:hzgovj
Removed Stream! C:\WINDOWS\setupapi.log:fcwnyx
Removed Stream! C:\WINDOWS\setuperr.log:kqggdy
Removed Stream! C:\WINDOWS\setuplog.txt:aaytpu
Removed Stream! C:\WINDOWS\shkuh.dat:wehsss
Removed Stream! C:\WINDOWS\sjonx.txt:irersi
Removed Stream! C:\WINDOWS\skfdg.dat:twiqxe
Removed Stream! C:\WINDOWS\smscfg.ini:vrrtyj
Removed Stream! C:\WINDOWS\Soap Bubbles.bmp:ktjysw
Removed Stream! C:\WINDOWS\Sti_Trace.log:asxwuk
Removed Stream! C:\WINDOWS\svcpack.log:nyjqkh
Removed Stream! C:\WINDOWS\svcpack.log:pwzxvj
Removed Stream! C:\WINDOWS\SYMEVENT.LOG:ttpbpv
Removed Stream! C:\WINDOWS\syyxe.dat:wzeovb
Removed Stream! C:\WINDOWS\T30DebugLogFile.txt:iwrlpu
Removed Stream! C:\WINDOWS\T30DebugLogFile.txt:luiprf
Removed Stream! C:\WINDOWS\tfkxi.log:grcver
Removed Stream! C:\WINDOWS\tfkxi.log:eek:zxtqe
Removed Stream! C:\WINDOWS\TSC.ini:thqkqm
Removed Stream! C:\WINDOWS\TSC.ini:ysmbgb
Removed Stream! C:\WINDOWS\tsc.ptn:vzpbev
Removed Stream! C:\WINDOWS\TWAIN.LOG:kupiza
Removed Stream! C:\WINDOWS\TWAIN.LOG:eek:ahgyx
Removed Stream! C:\WINDOWS\Twain001.Mtx:xsepev
Removed Stream! C:\WINDOWS\ubhnp.dat:eitdmh
Removed Stream! C:\WINDOWS\ubhnp.dat:zadjcm
Removed Stream! C:\WINDOWS\udxvy.txt:gbatai
Removed Stream! C:\WINDOWS\udxvy.txt:jtxtvo
Removed Stream! C:\WINDOWS\uhdmh.dat:wjmioj
Removed Stream! C:\WINDOWS\umjsh.log:kbguzy
Removed Stream! C:\WINDOWS\umjsh.log:ytlzus
Removed Stream! C:\WINDOWS\unfns.dat:hkeniu
Removed Stream! C:\WINDOWS\updatemgr.INI:cvhouc
Removed Stream! C:\WINDOWS\urbvi.dat:cuyzbj
Removed Stream! C:\WINDOWS\urbvi.dat:ijbvxs
Removed Stream! C:\WINDOWS\vayyp.dat:vurnvt
Removed Stream! C:\WINDOWS\vb.ini:johnth
Removed Stream! C:\WINDOWS\vedgw.dat:cpasvs
Removed Stream! C:\WINDOWS\vedgw.dat:vvstwn
Removed Stream! C:\WINDOWS\vowqe.log:upsxpc
Removed Stream! C:\WINDOWS\VPTNFILE.891:nwlgqx
Removed Stream! C:\WINDOWS\wfezb.txt:xrwqmp
Removed Stream! C:\WINDOWS\WMSysPr9.prx:mddqgw
Removed Stream! C:\WINDOWS\xmiqp.dat:ywfkia
Removed Stream! C:\WINDOWS\ybafb.dat:qncbpv
Removed Stream! C:\WINDOWS\ybmoe.dat:ecofhi
Removed Stream! C:\WINDOWS\yflcx.log:uecfwf
Removed Stream! C:\WINDOWS\ygywg.log:bybiyx
Removed Stream! C:\WINDOWS\yhqur.log:rnyapm
Removed Stream! C:\WINDOWS\yrwrk.txt:tztnai
Removed Stream! C:\WINDOWS\yspnt.dat:jorfrx
Removed Stream! C:\WINDOWS\zddnc.txt:iwtcsg
Removed Stream! C:\WINDOWS\zgqse.dat:cpcllz
Removed Stream! C:\WINDOWS\zgqse.dat:ygydmc
Removed Stream! C:\WINDOWS\zleix.log:qhqjpe
Removed Stream! C:\WINDOWS\zxnfb.log:uquygj
Removed Stream! C:\WINDOWS\_default.pif:aamibp
Removed Stream! C:\WINDOWS\_default.pif:acsgxv
Removed Stream! C:\WINDOWS\_default.pif:adccup
Removed Stream! C:\WINDOWS\_default.pif:adpebv
Removed Stream! C:\WINDOWS\_default.pif:akrqdt
Removed Stream! C:\WINDOWS\_default.pif:alczuv
Removed Stream! C:\WINDOWS\_default.pif:aqxyco
Removed Stream! C:\WINDOWS\_default.pif:atvlqs
Removed Stream! C:\WINDOWS\_default.pif:awoqzd
Removed Stream! C:\WINDOWS\_default.pif:azkmve

******

more in next post

B123
 

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #3 ·
------------------------------------------------
Removed File! : C:\Windows\abtqp.dll
Removed File! : C:\Windows\addqp.exe
Removed File! : C:\Windows\addxd.exe
Removed File! : C:\Windows\addzr.exe
Removed File! : C:\Windows\afbxm.dll
Removed File! : C:\Windows\amibp.dll
Removed File! : C:\Windows\apilu32.exe
Removed File! : C:\Windows\appad32.exe
Removed File! : C:\Windows\appzo.exe
Removed File! : C:\Windows\arsia.dat
Removed File! : C:\Windows\asskx.dll
Removed File! : C:\Windows\bbaiy.dll
Removed File! : C:\Windows\bnxum.dll
Removed File! : C:\Windows\bvhji.dll
Removed File! : C:\Windows\bwizh.dat
Removed File! : C:\Windows\bxlme.dll
Removed File! : C:\Windows\cfdrn.dat
Removed File! : C:\Windows\clhez.dll
Removed File! : C:\Windows\cmyvy.dll
Removed File! : C:\Windows\cntnh.dll
Removed File! : C:\Windows\cupqh.dat
Removed File! : C:\Windows\czkxu.dll
Removed File! : C:\Windows\d3ui32.exe
Removed File! : C:\Windows\d3zq32.exe
Removed File! : C:\Windows\dblde.dat
Removed File! : C:\Windows\debou.dat
Removed File! : C:\Windows\dfpbe.dll
Removed File! : C:\Windows\disls.dll
Removed File! : C:\Windows\dmczj.dat
Removed File! : C:\Windows\doalo.dat
Removed File! : C:\Windows\drjii.dll
Removed File! : C:\Windows\dszti.dat
Removed File! : C:\Windows\dvwhy.dll
Removed File! : C:\Windows\dwdrz.dll
Removed File! : C:\Windows\eecdn.dat
Removed File! : C:\Windows\eivmg.dll
Removed File! : C:\Windows\eladg.dat
Removed File! : C:\Windows\emycd.dat
Removed File! : C:\Windows\epyab.dll
Removed File! : C:\Windows\eqzfp.dll
Removed File! : C:\Windows\etbca.dat
Removed File! : C:\Windows\ewjqn.dat
Removed File! : C:\Windows\eydfv.dll
Removed File! : C:\Windows\fcxut.dll
Removed File! : C:\Windows\fjong.dll
Removed File! : C:\Windows\fkjhy.dll
Removed File! : C:\Windows\fmkoy.dll
Removed File! : C:\Windows\fmywh.dll
Removed File! : C:\Windows\foxip.dat
Removed File! : C:\Windows\fqtpl.dll
Removed File! : C:\Windows\frexx.dat
Removed File! : C:\Windows\fsctz.dat
Removed File! : C:\Windows\fvhrh.dll
Removed File! : C:\Windows\fxjfc.dll
Removed File! : C:\Windows\fzdsg.dll
Removed File! : C:\Windows\gbqza.dll
Removed File! : C:\Windows\ggrow.dat
Removed File! : C:\Windows\gieof.dat
Removed File! : C:\Windows\gnpfo.dll
Removed File! : C:\Windows\gqjau.dat
Removed File! : C:\Windows\hicay.dat
Removed File! : C:\Windows\hklvv.dat
Removed File! : C:\Windows\hkxjw.dll
Removed File! : C:\Windows\hmdmu.dll
Removed File! : C:\Windows\hugsz.dll
Removed File! : C:\Windows\iddef.dll
Removed File! : C:\Windows\iihdh.dll
Removed File! : C:\Windows\ilqws.dat
Removed File! : C:\Windows\ipchx.dll
Removed File! : C:\Windows\itenp.dat
Removed File! : C:\Windows\iuufv.dll
Removed File! : C:\Windows\ivlqv.dat
Removed File! : C:\Windows\iwhhm.dll
Removed File! : C:\Windows\iyqxb.dat
Removed File! : C:\Windows\javajw.exe
Removed File! : C:\Windows\javayx.exe
Removed File! : C:\Windows\jcduk.dll
Removed File! : C:\Windows\jdesa.dat
Removed File! : C:\Windows\jfsxf.dll
Removed File! : C:\Windows\jgsbl.dat
Removed File! : C:\Windows\jhwgr.dat
Removed File! : C:\Windows\jvvjm.dll
Removed File! : C:\Windows\jxmlk.dll
Removed File! : C:\Windows\kaijn.dat
Removed File! : C:\Windows\kaqpn.dat
Removed File! : C:\Windows\kfsub.dll
Removed File! : C:\Windows\kgmfo.dat
Removed File! : C:\Windows\kjwku.dat
Removed File! : C:\Windows\klasa.dll
Removed File! : C:\Windows\kyezq.dat
Removed File! : C:\Windows\lclmi.dat
Removed File! : C:\Windows\lejrh.dat
Removed File! : C:\Windows\ltnqz.dll
Removed File! : C:\Windows\lxzbb.dll
Removed File! : C:\Windows\mbchl.dat
Removed File! : C:\Windows\mfclq32.exe
Removed File! : C:\Windows\mhsix.dat
Removed File! : C:\Windows\mljur.dll
Removed File! : C:\Windows\msboe.dat
Removed File! : C:\Windows\mscr32.exe
Removed File! : C:\Windows\msia32.exe
Removed File! : C:\Windows\msoav.dll
Removed File! : C:\Windows\msrp.exe
Removed File! : C:\Windows\msya.exe
Removed File! : C:\Windows\mvelf.dll
Removed File! : C:\Windows\mwjnd.dat
Removed File! : C:\Windows\naocs.dll
Removed File! : C:\Windows\nbzas.dat
Removed File! : C:\Windows\ncbyw.dll
Removed File! : C:\Windows\netbj32.exe
Removed File! : C:\Windows\nggcj.dat
Removed File! : C:\Windows\nlajb.dat
Removed File! : C:\Windows\ntbl32.exe
Removed File! : C:\Windows\nyapm.dll
Removed File! : C:\Windows\ocwyq.dat
Removed File! : C:\Windows\odjxv.dat
Removed File! : C:\Windows\oeogx.dll
Removed File! : C:\Windows\olbrl.dll
Removed File! : C:\Windows\ompsg.dll
Removed File! : C:\Windows\omurh.dll
Removed File! : C:\Windows\orxcv.dat
Removed File! : C:\Windows\oufxe.dat
Removed File! : C:\Windows\oykfl.dll
Removed File! : C:\Windows\ozmux.dat
Removed File! : C:\Windows\ozwnu.dat
Removed File! : C:\Windows\pfmly.dat
Removed File! : C:\Windows\piulk.dat
Removed File! : C:\Windows\plgrs.dll
Removed File! : C:\Windows\pljzr.dll
Removed File! : C:\Windows\pmbto.dat
Removed File! : C:\Windows\pqjuw.dat
Removed File! : C:\Windows\psrau.dat
Removed File! : C:\Windows\pxyul.dll
Removed File! : C:\Windows\pyiyp.dll
Removed File! : C:\Windows\qhiae.dll
Removed File! : C:\Windows\qhmwj.dll
Removed File! : C:\Windows\qijbg.dll
Removed File! : C:\Windows\qitwu.dll
Removed File! : C:\Windows\qltix.dll
Removed File! : C:\Windows\qnlur.dat
Removed File! : C:\Windows\qvjed.dll
Removed File! : C:\Windows\rgmwx.dat
Removed File! : C:\Windows\rhsos.dat
Removed File! : C:\Windows\rinla.dll
Removed File! : C:\Windows\rjfbb.dat
Removed File! : C:\Windows\rkmof.dat
Removed File! : C:\Windows\rmbsn.dat
Removed File! : C:\Windows\rpqcf.dat
Removed File! : C:\Windows\rvmwo.dll
Removed File! : C:\Windows\sdkmt.exe
Removed File! : C:\Windows\sdkvj.exe
Removed File! : C:\Windows\shkuh.dat
Removed File! : C:\Windows\sjaqw.dll
Removed File! : C:\Windows\skfdg.dat
Removed File! : C:\Windows\smbgb.dll
Removed File! : C:\Windows\sphty.dll
Removed File! : C:\Windows\stosw.dat
Removed File! : C:\Windows\svhca.dll
Removed File! : C:\Windows\sysgh.exe
Removed File! : C:\Windows\sysja32.exe
Removed File! : C:\Windows\tausa.dat
Removed File! : C:\Windows\tipjn.dat
Removed File! : C:\Windows\tisvb.dll
Removed File! : C:\Windows\txfwo.dll
Removed File! : C:\Windows\uajdx.dat
Removed File! : C:\Windows\ubhnp.dat
Removed File! : C:\Windows\uhdmh.dat
Removed File! : C:\Windows\ukbyp.dat
Removed File! : C:\Windows\umquh.dat
Removed File! : C:\Windows\unfns.dat
Removed File! : C:\Windows\upoze.dll
Removed File! : C:\Windows\uqvrv.dll
Removed File! : C:\Windows\urbvi.dat
Removed File! : C:\Windows\utzur.dat
Removed File! : C:\Windows\uuror.dll
Removed File! : C:\Windows\uxtzp.dll
Removed File! : C:\Windows\uynyz.dll
Removed File! : C:\Windows\vayyp.dat
Removed File! : C:\Windows\vctaj.dat
Removed File! : C:\Windows\vdbrr.dat
Removed File! : C:\Windows\vedgw.dat
Removed File! : C:\Windows\vffxv.dll
Removed File! : C:\Windows\vjquk.dll
Removed File! : C:\Windows\vkikk.dll
Removed File! : C:\Windows\vqmkp.dll
Removed File! : C:\Windows\vqttr.dll
Removed File! : C:\Windows\vvoxe.dat
Removed File! : C:\Windows\wgkyz.dll
Removed File! : C:\Windows\winrs.exe
Removed File! : C:\Windows\winsf.exe
Removed File! : C:\Windows\wqgxg.dll
Removed File! : C:\Windows\wrpxw.dll
Removed File! : C:\Windows\wtmzt.dll
Removed File! : C:\Windows\wtvdc.dat
Removed File! : C:\Windows\wwulv.dll
Removed File! : C:\Windows\wzxvj.dll
Removed File! : C:\Windows\xfnmc.dll
Removed File! : C:\Windows\xhjci.dat
Removed File! : C:\Windows\xhots.dll
Removed File! : C:\Windows\xmiqp.dat
Removed File! : C:\Windows\xvkcc.dll
Removed File! : C:\Windows\ybafb.dat
Removed File! : C:\Windows\ybbqh.dll
Removed File! : C:\Windows\ybmoe.dat
Removed File! : C:\Windows\yspnt.dat
Removed File! : C:\Windows\yxdfc.dll
Removed File! : C:\Windows\yyahl.dll
Removed File! : C:\Windows\zbzgi.dat
Removed File! : C:\Windows\zgqse.dat
Removed File! : C:\Windows\zizzy.dll
Removed File! : C:\Windows\zjqwr.dat
Removed File! : C:\Windows\zmeta.dll
Removed File! : C:\Windows\zpstp.dll
Removed File! : C:\Windows\zugvq.dll
Removed File! : C:\Windows\zzrgg.dat
Removed File! : C:\Windows\System32\ablar.dll
Removed File! : C:\Windows\System32\addlk.exe
Removed File! : C:\Windows\System32\aedqm.dll
Removed File! : C:\Windows\System32\aguyz.dat
Removed File! : C:\Windows\System32\aocwt.dll
Removed File! : C:\Windows\System32\apimx.exe
Removed File! : C:\Windows\System32\appfp.exe
Removed File! : C:\Windows\System32\appsc.exe
Removed File! : C:\Windows\System32\appxq.exe
Removed File! : C:\Windows\System32\ascbg.dll
Removed File! : C:\Windows\System32\atenk.dll
Removed File! : C:\Windows\System32\atlak32.exe
Removed File! : C:\Windows\System32\atldf.exe
Removed File! : C:\Windows\System32\bajhg.dll
Removed File! : C:\Windows\System32\bpvmw.dat
Removed File! : C:\Windows\System32\btbdz.dll
Removed File! : C:\Windows\System32\bvewx.dat
Removed File! : C:\Windows\System32\bxyiu.dat
Removed File! : C:\Windows\System32\cadyp.dat
Removed File! : C:\Windows\System32\comkj.dat
Removed File! : C:\Windows\System32\ctfhx.dat
Removed File! : C:\Windows\System32\cubae.dll
Removed File! : C:\Windows\System32\cucki.dll
Removed File! : C:\Windows\System32\dzelr.dat
Removed File! : C:\Windows\System32\eaebp.dll
Removed File! : C:\Windows\System32\eccfp.dat
Removed File! : C:\Windows\System32\edndn.dll
Removed File! : C:\Windows\System32\elwcd.dll
Removed File! : C:\Windows\System32\epduo.dll
Removed File! : C:\Windows\System32\fawrh.dll
Removed File! : C:\Windows\System32\fbuou.dat
Removed File! : C:\Windows\System32\fcfbw.dll
Removed File! : C:\Windows\System32\fgqkk.dat
Removed File! : C:\Windows\System32\fhkwi.dll
Removed File! : C:\Windows\System32\fjjak.dat
Removed File! : C:\Windows\System32\fkvac.dat
Removed File! : C:\Windows\System32\fmdmp.dat
Removed File! : C:\Windows\System32\fttxa.dat
Removed File! : C:\Windows\System32\fxfxk.dll
Removed File! : C:\Windows\System32\fyykl.dll
Removed File! : C:\Windows\System32\gdfae.dat
Removed File! : C:\Windows\System32\geqap.dll
Removed File! : C:\Windows\System32\gfpzt.dat
Removed File! : C:\Windows\System32\gmfwj.dll
Removed File! : C:\Windows\System32\groyy.dll
Removed File! : C:\Windows\System32\gsgwt.dat
Removed File! : C:\Windows\System32\gssib.dll
Removed File! : C:\Windows\System32\gybdi.dll
Removed File! : C:\Windows\System32\hldwe.dll
Removed File! : C:\Windows\System32\hshrr.dll
Removed File! : C:\Windows\System32\hugsv.dll
Removed File! : C:\Windows\System32\hypur.dll
Removed File! : C:\Windows\System32\ieau.exe
Removed File! : C:\Windows\System32\iejn32.exe
Removed File! : C:\Windows\System32\ifets.dat
Removed File! : C:\Windows\System32\ipllh.dll
Removed File! : C:\Windows\System32\ipos32.exe
Removed File! : C:\Windows\System32\ipzik.dll
Removed File! : C:\Windows\System32\itxls.dll
Removed File! : C:\Windows\System32\iykrt.dll
Removed File! : C:\Windows\System32\javaba32.exe
Removed File! : C:\Windows\System32\javaho.exe
Removed File! : C:\Windows\System32\javahz32.exe
Removed File! : C:\Windows\System32\javaki.exe
Removed File! : C:\Windows\System32\jiclb.dat
Removed File! : C:\Windows\System32\jqybt.dll
Removed File! : C:\Windows\System32\junra.dll
Removed File! : C:\Windows\System32\juudv.dat
Removed File! : C:\Windows\System32\kegyz.dll
Removed File! : C:\Windows\System32\kfazs.dll
Removed File! : C:\Windows\System32\kgpoz.dll
Removed File! : C:\Windows\System32\kibtm.dll
Removed File! : C:\Windows\System32\kqwzf.dat
Removed File! : C:\Windows\System32\kzqsi.dll
Removed File! : C:\Windows\System32\lauom.dll
Removed File! : C:\Windows\System32\liwcs.dll
Removed File! : C:\Windows\System32\llcyc.dll
Removed File! : C:\Windows\System32\lrgui.dat
Removed File! : C:\Windows\System32\lspbz.dll
Removed File! : C:\Windows\System32\lsspw.dat
Removed File! : C:\Windows\System32\ltapz.dll
Removed File! : C:\Windows\System32\lwyep.dat
Removed File! : C:\Windows\System32\mcbbj.dll
Removed File! : C:\Windows\System32\mcgrl.dat
Removed File! : C:\Windows\System32\mjqkr.dll
Removed File! : C:\Windows\System32\mkiaf.dll
Removed File! : C:\Windows\System32\msew.exe
Removed File! : C:\Windows\System32\msfb32.exe
Removed File! : C:\Windows\System32\msww32.exe
Removed File! : C:\Windows\System32\mszt32.exe
Removed File! : C:\Windows\System32\mwhwi.dll
Removed File! : C:\Windows\System32\mzfrx.dll
Removed File! : C:\Windows\System32\netfb32.exe
Removed File! : C:\Windows\System32\netsp32.exe
Removed File! : C:\Windows\System32\nettp.exe
Removed File! : C:\Windows\System32\nhkqk.dat
Removed File! : C:\Windows\System32\nkgtf.dll
Removed File! : C:\Windows\System32\npths.dat
Removed File! : C:\Windows\System32\ntfr32.exe
Removed File! : C:\Windows\System32\nwsqz.dll
Removed File! : C:\Windows\System32\ocipt.dll
Removed File! : C:\Windows\System32\odjzm.dat
Removed File! : C:\Windows\System32\ogzng.dll
Removed File! : C:\Windows\System32\okmii.dll
Removed File! : C:\Windows\System32\okugq.dll
Removed File! : C:\Windows\System32\ondrc.dat
Removed File! : C:\Windows\System32\optut.dll
Removed File! : C:\Windows\System32\orrhm.dll
Removed File! : C:\Windows\System32\ozheq.dat
Removed File! : C:\Windows\System32\pacbi.dat
Removed File! : C:\Windows\System32\pdvao.dat
Removed File! : C:\Windows\System32\pdyfc.dat
Removed File! : C:\Windows\System32\picpc.dat
Removed File! : C:\Windows\System32\pmfwd.dll
Removed File! : C:\Windows\System32\pobva.dat
Removed File! : C:\Windows\System32\ppffm.dll
Removed File! : C:\Windows\System32\ppysn.dll
Removed File! : C:\Windows\System32\pwnhr.dat
Removed File! : C:\Windows\System32\pyfnj.dat
Removed File! : C:\Windows\System32\qbawf.dat
Removed File! : C:\Windows\System32\qiias.dll
Removed File! : C:\Windows\System32\qlfci.dll
Removed File! : C:\Windows\System32\qozqs.dll
Removed File! : C:\Windows\System32\qsyqj.dll
Removed File! : C:\Windows\System32\qywll.dll
Removed File! : C:\Windows\System32\qztvh.dat
Removed File! : C:\Windows\System32\rclkv.dat
Removed File! : C:\Windows\System32\rdioj.dll
Removed File! : C:\Windows\System32\rivrt.dll
Removed File! : C:\Windows\System32\rprmm.dll
Removed File! : C:\Windows\System32\rvqia.dat
Removed File! : C:\Windows\System32\scslk.dat
Removed File! : C:\Windows\System32\sdkcp.exe
Removed File! : C:\Windows\System32\sdkfi32.exe
Removed File! : C:\Windows\System32\sdkpz.exe
Removed File! : C:\Windows\System32\shipg.dll
Removed File! : C:\Windows\System32\skgoi.dll
Removed File! : C:\Windows\System32\sltga.dll
Removed File! : C:\Windows\System32\spwjn.dll
Removed File! : C:\Windows\System32\srhea.dat
Removed File! : C:\Windows\System32\suupx.dat
Removed File! : C:\Windows\System32\svhdf.dat
Removed File! : C:\Windows\System32\sysda32.exe
Removed File! : C:\Windows\System32\sysfg32.exe
Removed File! : C:\Windows\System32\szzjv.dll
Removed File! : C:\Windows\System32\tammy.dll
Removed File! : C:\Windows\System32\tbexc.dat
Removed File! : C:\Windows\System32\tdccw.dat
Removed File! : C:\Windows\System32\tduqi.dll
Removed File! : C:\Windows\System32\tfmvu.dll
Removed File! : C:\Windows\System32\tlmtx.dat
Removed File! : C:\Windows\System32\tscxi.dat
Removed File! : C:\Windows\System32\tsyje.dat
Removed File! : C:\Windows\System32\ttbda.dll
Removed File! : C:\Windows\System32\ttoul.dll
Removed File! : C:\Windows\System32\tvnzn.dat
Removed File! : C:\Windows\System32\tzbhx.dll
Removed File! : C:\Windows\System32\uazjm.dll
Removed File! : C:\Windows\System32\ucorl.dll
Removed File! : C:\Windows\System32\ulrtf.dll
Removed File! : C:\Windows\System32\uoama.dll
Removed File! : C:\Windows\System32\uytey.dat
Removed File! : C:\Windows\System32\vdkor.dll
Removed File! : C:\Windows\System32\vkdso.dll
Removed File! : C:\Windows\System32\vlklw.dat
Removed File! : C:\Windows\System32\vvojt.dll
Removed File! : C:\Windows\System32\vvqij.dll
Removed File! : C:\Windows\System32\wcqij.dll
Removed File! : C:\Windows\System32\wetub.dat
Removed File! : C:\Windows\System32\wgoio.dat
Removed File! : C:\Windows\System32\winml32.exe
Removed File! : C:\Windows\System32\winxj32.exe
Removed File! : C:\Windows\System32\wjjys.dat
Removed File! : C:\Windows\System32\wmfsu.dat
Removed File! : C:\Windows\System32\wzgwp.dll
Removed File! : C:\Windows\System32\xfndd.dat
Removed File! : C:\Windows\System32\xivst.dat
Removed File! : C:\Windows\System32\xkwtq.dat
Removed File! : C:\Windows\System32\xmqsn.dll
Removed File! : C:\Windows\System32\xnyiw.dat
Removed File! : C:\Windows\System32\xyhod.dat
Removed File! : C:\Windows\System32\xyjit.dat
Removed File! : C:\Windows\System32\ybqkj.dll
Removed File! : C:\Windows\System32\yjdpp.dat
Removed File! : C:\Windows\System32\yjxmz.dll
Removed File! : C:\Windows\System32\ymqlo.dat
Removed File! : C:\Windows\System32\yntxf.dll
Removed File! : C:\Windows\System32\ypeew.dll
Removed File! : C:\Windows\System32\yptvl.dll
Removed File! : C:\Windows\System32\ysrkz.dat
Removed File! : C:\Windows\System32\ytwbe.dat
Removed File! : C:\Windows\System32\zeusj.dat
Removed File! : C:\Windows\System32\zoxxl.dat
Removed File! : C:\Windows\System32\zpeta.dat
Removed File! : C:\Windows\System32\zptgj.dat
Removed File! : C:\Windows\System32\zvdrh.dll
Removed File! : C:\Windows\System32\zxuuy.dll
Removed File! : C:\Windows\System32\zybrp.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:06:20 PM

&&&&&&&&&&&&&&&&&&&&

AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [4:06:49 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\COM+.log:xtlopm
Removed Stream! C:\WINDOWS\cqzjl.txt:veydoa
Removed Stream! C:\WINDOWS\GatorUninstaller_cme_u.log:hxzott
Removed Stream! C:\WINDOWS\GatorUninstaller_cme_u.log:ykurlz
Removed Stream! C:\WINDOWS\HPODJC05.INI:zgbbyp
Removed Stream! C:\WINDOWS\KB824141.log:yspntr
Removed Stream! C:\WINDOWS\kwnsm.log:rdotqa
Removed Stream! C:\WINDOWS\Q819696.log:rmenrv
Removed Stream! C:\WINDOWS\rcuwf.log:nlajbk
Removed Stream! C:\WINDOWS\SchedLgU.Txt:tmiuzj
Removed Stream! C:\WINDOWS\_default.pif:bbhqyk
Removed Stream! C:\WINDOWS\_default.pif:bddhcm
Removed Stream! C:\WINDOWS\_default.pif:bkqnrp
Removed Stream! C:\WINDOWS\_default.pif:bokddp
Removed Stream! C:\WINDOWS\_default.pif:bokylk
Removed Stream! C:\WINDOWS\_default.pif:bpbabu
Removed Stream! C:\WINDOWS\_default.pif:bqmcpx
Removed Stream! C:\WINDOWS\_default.pif:bqqqnn
Removed Stream! C:\WINDOWS\_default.pif:bsspfz
Removed Stream! C:\WINDOWS\_default.pif:bvvurs
Removed Stream! C:\WINDOWS\_default.pif:bwcbhh
Removed Stream! C:\WINDOWS\_default.pif:bxelay
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:07:42 PM

AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [4:07:57 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:bxyiee
Removed Stream! C:\WINDOWS\_default.pif:bxyiuu
Removed Stream! C:\WINDOWS\_default.pif:bzmtds
Removed Stream! C:\WINDOWS\_default.pif:cbbpqx
Removed Stream! C:\WINDOWS\_default.pif:ccaipi
Removed Stream! C:\WINDOWS\_default.pif:cflyjt
Removed Stream! C:\WINDOWS\_default.pif:cosvxo
Removed Stream! C:\WINDOWS\_default.pif:cpwptw
Removed Stream! C:\WINDOWS\_default.pif:cqmahz
Removed Stream! C:\WINDOWS\_default.pif:cxgmls
Removed Stream! C:\WINDOWS\_default.pif:cxzvkn
Removed Stream! C:\WINDOWS\_default.pif:dhrofy
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:08:47 PM

AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [7:48:34 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:djaizb
Removed Stream! C:\WINDOWS\_default.pif:dlzgty
Removed Stream! C:\WINDOWS\_default.pif:doalog
Removed Stream! C:\WINDOWS\_default.pif:dsryma
Removed Stream! C:\WINDOWS\_default.pif:dykopa
Removed Stream! C:\WINDOWS\_default.pif:efawrh
Removed Stream! C:\WINDOWS\_default.pif:efluss
Removed Stream! C:\WINDOWS\_default.pif:efoeos
Removed Stream! C:\WINDOWS\_default.pif:efzfsk
Removed Stream! C:\WINDOWS\_default.pif:eivszs
Removed Stream! C:\WINDOWS\_default.pif:ekkmns
Removed Stream! C:\WINDOWS\_default.pif:ekvzqx
Removed Stream! C:\WINDOWS\_default.pif:emmlhn
Removed Stream! C:\WINDOWS\_default.pif:ercykp
Removed Stream! C:\WINDOWS\_default.pif:ergwch
Removed Stream! C:\WINDOWS\_default.pif:eslndk
Removed Stream! C:\WINDOWS\_default.pif:eswqdl
Removed Stream! C:\WINDOWS\_default.pif:etwqut
Removed Stream! C:\WINDOWS\_default.pif:ewrxal
Removed Stream! C:\WINDOWS\_default.pif:fgbcil
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:49:48 PM

AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [7:50:59 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:fjvkha
Removed Stream! C:\WINDOWS\_default.pif:fqoiyl
Removed Stream! C:\WINDOWS\_default.pif:ftwakh
Removed Stream! C:\WINDOWS\_default.pif:fzckbp
Removed Stream! C:\WINDOWS\_default.pif:gcumvv
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:51:45 PM

>>>>>>>>>>
at this point, I moved _default.bat to the desktop

AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [7:52:08 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:gdyyzk
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:52:49 PM

No Files Found!
------------------------------------------------
Scan was ABORTED at 8:10:47 PM

AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [8:37:00 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:38:10 PM

AboutBuster 5.0 reference file 30
Scan started on [6/22/2005] at [10:13:00 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:14:06 PM

*******

Thanks for your help.

B123
 

·
Administrator
Joined
·
123,556 Posts
Please read these instructions carefully and copy them to notepad then save the notepad file to your desktop so you can refer to them. Be sure to follow ALL instructions!

Go here: http://www.filehippo.com/download_ccleaner.html to download and install CCleaner but do NOT use it yet. You will use it later in safe mode.

Go here: http://www.thespykiller.co.uk/files/killbox.exe and download the Killbox and save it to your desktop.

Go here: http://attachments.techguy.org/attachment.php?attachmentid=57951 and download smitfraudfix.zip file. Unzip it to your desktop and have it ready to run later.

Click here to see how to boot into safe mode as you will need to do this later:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Go to Start - Control Panel - Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
PSGuard


Rescan with Hijack This and put a check by these. Close all browser windows except HijackThis and click "Fix checked"

Restart your computer into safe mode now. Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\wp.exe

C:\wp.bmp

C:\bsw.exe

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\system32\hhk.dll

C:\Windows\System32\wldr.dll

C:\Windows\System32\helper.exe

C:\Windows\System32\intmon.exe

C:\Windows\System32\shnlog.exe

C:\Windows\System32\intmonp.exe

C:\WINDOWS\System32\winnook.exe

C:\WINDOWS\desktop.html

C:\Windows\System32\msmsgs.exe

C:\Windows\system32\msole32.exe

C:\Windows\System32\ole32vbs.exe



Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders". Click "Apply" then "OK"

Find and delete these folders if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\WINDOWS\System32\Services
C:\Windows\System32\Log Files
C:\Program Files\PSGuard

IMPORTANT!: If you forget to run the smitfraud.reg file you will not be able to boot your computer normally. DO NOT forget this step. Locate smitfraudfix.reg on your desktop and double click on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of the instructions below.

Start Ccleaner and click Run Cleaner

Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Restart back into Windows normally now.

Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip. Unzip the file and press "Restore Original Hosts" and press "OK". Exit Program.

Run Panda’s ActiveScan online virus scan from here: http://www.pandasoftware.com/activescan/

When the scan is finished, have it delete anything that it cannot clean. Make a note of the file location of anything that cannot be deleted so you can delete it yourself. Save the results from the scan.

Post a new HiJackThis log along with the results from ActiveScan
 

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #6 ·
CG:
Thanks for your instructions.

You state:
Go to Start - Control Panel - Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
PSGuard

Rescan with Hijack This and put a check by these. Close all browser windows except HijackThis and click "Fix checked"

???????????????

Restart your computer into safe mode now. Perform the following steps in safe mode:

Double-click on Killbox.exe . . . ."

??????????????? is my entry. Which box / boxes do you want me to check?

I checked the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - (no file)

Only PSGuard was present in add/remove. I removed it.

Booted to safe mode, used Killbox to remove files you mentioned.

Found & removed c:\windows\system32\LogFiles

ran smifraudfix.reg; merged as advised.

Ccleaner run as instructed.

"reset Web settings" engaged.

booted to normal mode.
NAV 2004 advised me that c:\windows\system32\wininet.dll is present, infected with Bllodhound.w32.ep

Microsoft AntiSpyware advised me that onesearch & about:blank were trying to make changes.

Ran hoster, as directed.

Unable to connect to internet. Again / Still "network connections" is empty / blank .

I await your counsel.

Sincerely,

B123
 

·
Administrator
Joined
·
123,556 Posts

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #8 ·
CG:
1. booted to normal mode.
NAV 2004 advised me that c:\windows\system32\wininet.dll is present, infected with Bllodhound.w32.ep

Microsoft AntiSpyware advised me that onesearch & about:blank were trying to make changes.

That problem has not been fixed.



2. I have already tried Winsockfix & LSPFix.

B123
 

·
Registered
Joined
·
11 Posts
beginner123 said:
about:blank, Bloodhound

current problems: about:blank; unable to access internet / unable to locate server; PC's ip address is reported as 0.0.0.0 .

; bloodhound.w32.ep

Problem presented as smitfraud.b desktop & NAV identifying c:\windows\system32\wininet.dll as infected with Bloodhound.w32.ep

Lots of porn sites

Windows XP Home SP1
Norton 2004
Earthlink DSL; no firewall
Spybot & Ad-Aware, out of date for > 6 months.

Things I have done, attempting to fix problem.
installed spybot 1.4; ad-aware se [ downloaded 6 june ]; spywareblaster 3.4; spywareguard; HJT 1.99.1; CWShredder 2.15 ;
about-buster 5.0; killbox 2.0.0.175 ; winsockfix 1.1.0.13 ; LSPfix 1.0.0.0 ; Microsoft AntiSpyware installed, but unable to

obtain latest updates [ unable to access internet, as stated above ].

spybot & ad-aware [ each with latest updates ] found a number of offenders; all items were removed.

replaced notepad.exe in C:\windows & C:\windows\system32 with copies from the dllcache

about-buster kept identifying c:\_default "random characters". File is listed as _default.bat, in Windows Explorer. But

when I checked its properties, it is _default.pif. I moved the file to the desktop.

I've used killbox to delete wininet.dll & snhlog.exe , but they keep coming back.

I've run HJT in normal mode & safe mode; CWS in normal & safe; about-buster in normal & safe.

most recent HJT scan [ run in safe mode ]
+++++

Logfile of HijackThis v1.99.1
Scan saved at 7:23:47 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\S3apphk.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\utilities_22_June_05\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

(file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program

Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program

Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe

++++++

at present, I have transferred the hard disk drive to another computer; I'm at f-secure, scanning. I tried to scan at ravantivirus & kaparsky; each site would only let me scan a single file. When I selected wininet.dll, the sites returned an error message that the scan failed. I couldn't find avg's online scan; perhaps there isn't one.

research:
http://forums.techguy.org/t266238.html
regards bloodhound.w32.ep
It hids,I found it In my default browser
 

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #11 ·
CG:
GHO's message is not clear to me.

Yes, CG, I know that wininet.dll is a legitimate Windows file & that it is infected. I keep killing it [ or trying to ], but it keeps coming back.

Here is the HJT log you requested, CG.

When I booted the computer, with no internet connection established, spywareguard appeared, informing me that the search page had been changed to www.oneclicksearches.com .

Norton AV has informed me that c:\windows\system32\wininet.dll is infected with Bloodhound.W.32.EP ; that said file is uncleanable; that said file cannot be deleted because access has been denied to NAV.

Logfile of HijackThis v1.99.1
Scan saved at 7:52:01 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\utilities_22_June_05\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for your help.

B123
 

·
Administrator
Joined
·
123,556 Posts
Let's run through this again with some updated parts to the fix.

Please read these instructions carefully and copy them to notepad then save the notepad file to your desktop so you can refer to them. Be sure to follow ALL instructions!

Click here to download and install CCleaner but do NOT use it yet. You will use it later in safe mode.

Click here and download the Killbox and save it to your desktop.

Click here and download smitfraudfix.reg file. Save it to your desktop and have it ready to run later. Be sure to use this one, not the previous one, as it's been updated.

Click here to see how to boot into safe mode as you will need to do this later:

Go to Start – Control Panel – Add/Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
PSGuard


Rescan with HijackThis and put a check by these. Close all browser windows except HijackThis and click Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe


Restart your computer into safe mode now. Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the Full Path of File to Delete box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\wp.exe

C:\wp.bmp

C:\bsw.exe

C:\Windows\sites.ini

C:\Windows\popuper.exe

C:\Windows\System32\hhk.dll

C:\Windows\System32\wldr.dll

C:\Windows\System32\wp.bmp

C:\Windows\System32\perfcii.ini

C:\Windows\System32\oleadm.dll

C:\Windows\System32\helper.exe

C:\Windows\System32\shnlog.exe

C:\Windows\System32\intmon.exe

C:\Windows\System32\intmonp.exe

C:\Windows\System32\msmsgs.exe

C:\Windows\System32\msole32.exe

C:\Windows\System32\ole32vbs.exe

C:\WINDOWS\System32\hookdump.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under More advanced search options, make sure there is a check by Search System Folders and Search hidden files and folders and Search system subfolders

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files and Hide extensions for known file types. Now click Apply to all folders. Click Apply then OK

Find and delete these folders if they exist:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Program Files\Security IGuard
C:\WINDOWS\System32\Services
C:\Windows\System32\Log Files
C:\Program Files\PSGuard

IMPORTANT!: If you forget to run the smitfraud.reg file you will not be able to boot your computer normally. DO NOT FORGET THIS STEP. Locate smitfraudfix.reg on your desktop and double click on it. When asked if you want to merge with the registry click YES. After you receive the prompt merged successfully, follow the rest of the instructions below.

Start Ccleaner and click Run Cleaner

Go to Control Panel - Internet Options. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Restart back into Windows normally now.

Download The Hoster from here . Unzip the file and press Restore Original Hosts and press OK. Exit Program.

Run Panda’s ActiveScan online virus scan from here

When the scan is finished, have it delete anything that it cannot clean. Make a note of the file location of anything that cannot be deleted so you can delete it yourself. Save the results from the scan.

Post a new HiJackThis log along with the results from ActiveScan.
 

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #15 ·
CG:
Steps taken:
slaved HDD into other computer. Scanned with AVG, locally; found about 100 files, which it was able delete.

Scanned at Panda, found a bunch of files. I deleted them, manually & with Killbox.exe. I am not confident in killbox.exe , however, because I created a test file, filenname.rtf & told killbox to kill it upon re-boot. The file was still there [ c:\filename.rtf ].

I ran the steps, again, exactly as you described above.

Ran avg, removed 2 files. Scanned at panda.

Panda log:

Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/SideSearch No disinfected C:\Program Files\Lycos
Adware:Adware/Midaddle No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected c:\documents and settings\owner\favorites\online dating.url
Adware:Adware/Popuper No disinfected c:\documents and settings\owner\favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Network Security.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Owner\Favorites\Online Dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Spam Filters.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Take It Here - Free Porn TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Owner\Favorites\Web Detective.url
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\Lycos\SideSearch\ClrSchUninstall_78_86.xex
Adware:Adware/Lop No disinfected C:\utilities_22_June_05\lopremover.exe
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll

manually deleted :
C:\WINDOWS\Downloaded Program Files\popcaploader.dll ;
entries in favorites ;
C:\Program Files\Lycos ;
C:\WINDOWS\bsx32 ;
C:\Program Files\Lycos\SideSearch\ClrSchUninstall_78_86.xex [deleted when I manually deleted c:\program files\Lycos .

Now, I can access the internet. Congratulations on your / our success.

most recent HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:08:55 PM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\WILDTA~1\DDC\DDCMAN~1\DDCMan.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\utilities_22_June_05\HJT\HijackThis.exe
C:\utilities_22_June_05\HJT\HijackThis.exe

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I scanned with spybot s & d 1.4 & ad-aware se [most recent ] , both with latest updates. No bad guys found.

I await your advice, CG & perhaps F1.

B123
 

·
Registered
Joined
·
8,256 Posts
Discussion Starter · #16 ·
CG:
Thanks for all of your assistance. I have tested the system, connecting to the internet. No popups. No hijacking attempts.

I successfully upgraded to Windows XP SP2. Wonder of Wonders, no problems with that.

And the network connections icons re-appeared.

WHEW!!! :)

Please close this thread as resolved.

B123
 

·
Administrator
Joined
·
123,556 Posts
The log looks good. I assume you deleted everything Panda found.

A new tool has just been developed for this hijack and it might be a good idea to run it anyway.

Click here to download smitRem.zip. Save the file to your desktop.

Unzip smitRem.zip to extract the two files it contains.

Now, boot to safe mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD for added protection.

Read here for info on how to tighten your security.

Delete your temporary files:

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the recycle bin.
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top