Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 22 Posts

·
Registered
Joined
·
18 Posts
Discussion Starter · #1 ·
Logfile of HijackThis v1.99.0
Scan saved at 9:27:19 AM, on 1/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\gvoguk.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\3DLman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\jneher.PICO\Application Data\mroh.exe
C:\WINNT\system32\l?***.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AutoCAD R14\acad.exe
C:\AM\AMWWIN\aw32.exe
C:\AM\AMWWIN\awds32.exe
C:\AM\CUSTOM\acadwin\amwupd32.exe
C:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {0F09C483-3B41-4BEC-8059-4369ED838224} - C:\WINNT\system32\lmcde.dll (file missing)
O2 - BHO: (no name) - {25C29C08-0FC8-5267-9B18-2FA7114FC5BF} - C:\WINNT\system32\lgq.dll
O2 - BHO: (no name) - {2E1C69CD-A278-F1FF-0A30-FDCAC7D197EC} - C:\WINNT\system32\iafdolx.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SDWin32 Class - {60EEE08C-B977-4A25-A2D8-7C10F664F653} - C:\WINNT\system32\isdtr.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuzS.exe] c:\documents and settings\jneher.pico\local settings\temp\QuzS.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Awoa] C:\Documents and Settings\jneher.PICO\Application Data\mroh.exe
O4 - HKCU\..\Run: [Z1s8RWf7V] umlptsvc.exe
O4 - HKCU\..\Run: [aBp4RjG5e] umlptsvc.exe
O4 - HKCU\..\Run: [Qnxv] C:\WINNT\system32\l?***.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Pico.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Pico.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Pico.local
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe

Reply With Quote
 

·
Registered
Joined
·
49,014 Posts
Print this out or save to a file

Boot to safe mode

Fix these entries

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
R3 - Default URLSearchHook is missing

O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll

O2 - BHO: SDWin32 Class - {0F09C483-3B41-4BEC-8059-4369ED838224} - C:\WINNT\system32\lmcde.dll (file missing)

O2 - BHO: (no name) - {25C29C08-0FC8-5267-9B18-2FA7114FC5BF} - C:\WINNT\system32\lgq.dll

O2 - BHO: (no name) - {2E1C69CD-A278-F1FF-0A30-FDCAC7D197EC} - C:\WINNT\system32\iafdolx.dll (file missing)

O2 - BHO: SDWin32 Class - {60EEE08C-B977-4A25-A2D8-7C10F664F653} - C:\WINNT\system32\isdtr.dll (file missing)

O4 - HKLM\..\Run: [QuzS.exe] c:\documents and settings\jneher.pico\local settings\temp\QuzS.exe

O4 - HKCU\..\Run: [Awoa] C:\Documents and Settings\jneher.PICO\Application Data\mroh.exe

O4 - HKCU\..\Run: [Z1s8RWf7V] umlptsvc.exe

O4 - HKCU\..\Run: [aBp4RjG5e] umlptsvc.exe

O4 - HKCU\..\Run: [Qnxv] C:\WINNT\system32\l?***.exe

Delete these files – Show hidden files and system files in explorer – TOOLS OPTIONS VIEW

C:\WINNT\BTGrab.dll
C:\WINNT\system32\lmcde.dll
C:\WINNT\system32\lgq.dll
C:\Documents and Settings\jneher.PICO\Application Data\mroh.exe
umlptsvc.exe – search for this
C:\WINNT\system32\l?***.exe ç== Do not use search to find that and make sure of that exact name with the ? and the 3 *** DO NOT CONFUSE it with lsass

START – RUN - %temp% - Edit – Select all – File – Delete
Empty the recycle bin

Boot and post a new log
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #3 ·
Logfile of HijackThis v1.99.0
Scan saved at 8:38:26 AM, on 1/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\gvoguk.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\3DLman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\My Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINNT\System32\3DLman.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Pico.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Pico.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Pico.local
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #5 ·
MFDnSC,
Thanks for your help. The system is running fine but we are still getting popups that are not being blocked by Firefox. We have disabled messenger in the services and a few other things but they still appear. One of the frequent pages is from 'emarketmakers' does this sound familiar to any of you folks?

PIJim
 

·
Gone but never forgotten
Joined
·
8,684 Posts
You still have one strange task running

C:\WINNT\system32\gvoguk.exe

Run HJT again, Config button, Misc Tools button, Select List Minor Sections and click on Generate Startuplist Log.

Copy/paste the log back here to see if we can find where it is starting from.
 

·
Registered
Joined
·
49,014 Posts
WhitPhil said:
You still have one strange task running

C:\WINNT\system32\gvoguk.exe

Run HJT again, Config button, Misc Tools button, Select List Minor Sections and click on Generate Startuplist Log.

Copy/paste the log back here to see if we can find where it is starting from.
Good catch WhitPhil!!!
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #9 ·
StartupList report, 1/11/2005, 2:45:30 PM
StartupList version: 1.52.2
Started from : C:\My Downloads\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NavNT\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\3DLman.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\gvoguk.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\My Downloads\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
3Dlabs Taskbar Display Manager = C:\WINNT\System32\3DLman.exe
vptray = C:\Program Files\NavNT\vptray.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Synchronization Manager = mobsync.exe /logon
Spyware Nuker = C:\Program Files\Spyware Nuker 2004\swn2.exe /h

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADLTScriptFile\shell\open\command

(Default) = C:\WINNT\NOTEPAD.EXE "%1"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[349cd6f2-ae39-4569-a0f1-0d601a1da9ef]
StubPath = C:\WINNT\system32\almauq.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[d1d8518a-cecb-4a59-a87e-402013dcd9bf] *
StubPath = C:\WINNT\system32\lwaazz.exe

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\WINNT\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.2902430556

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
DefWatch: C:\PROGRA~1\NavNT\DefWatch.exe (autostart)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
drvnddm: system32\drivers\drvnddm.sys (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (autostart)
IomegaAccess: C:\WINNT\System32\IomegaAccess.exe /S (autostart)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
NAVAPEL: \??\C:\Program Files\NavNT\NAVAPEL.SYS (autostart)
Net Logon: %SystemRoot%\System32\lsass.exe (autostart)
Symantec AntiVirus Client: C:\PROGRA~1\NavNT\Rtvscan.exe (autostart)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PMEM: \??\C:\WINNT\system32\drivers\PMEMNT.SYS (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
tfsnboio: system32\dla\tfsnboio.sys (autostart)
tfsncofs: system32\dla\tfsncofs.sys (autostart)
tfsndrct: system32\dla\tfsndrct.sys (autostart)
tfsndres: system32\dla\tfsndres.sys (autostart)
tfsnifs: system32\dla\tfsnifs.sys (autostart)
tfsnopio: system32\dla\tfsnopio.sys (autostart)
tfsnpool: system32\dla\tfsnpool.sys (autostart)
tfsnudf: system32\dla\tfsnudf.sys (autostart)
tfsnudfa: system32\dla\tfsnudfa.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
Windows Time: %SystemRoot%\System32\services.exe (autostart)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
WMDM PMSP Service: C:\WINNT\System32\mspmspsv.exe (autostart)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (autostart)
ZipToA: C:\WINNT\System32\ZipToA.exe /S (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

[\\Pico.local\sysvol\Pico.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\Scripts\scripts.ini]
[Logon]
0CmdLine=Login.bat
0Parameters=

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 11,153 bytes
Report generated in 0.141 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 

·
Gone but never forgotten
Joined
·
8,684 Posts
The culprit seems to be

[349cd6f2-ae39-4569-a0f1-0d601a1da9ef]
StubPath = C:\WINNT\system32\almauq.exe


which will run on every boot because it's "twin" is not present.

And then, my guess is that it then starts

C:\WINNT\system32\gvoguk.exe

But, before we do any more surgury, run this online virus check to see it they are already known.

If not, then we will preserve them for anyone that is interested and then get rid of them.

***As well, if anyone has a "direct link" to Merijn, it would be nice if this situation were recognized by HiJackThis.
 

·
Registered
Joined
·
46,353 Posts
gvoguk.exe is from the qoologic/narrator trojan. Please do this:

Click here to download Find It NT-2K-XP.zip.

Unzip it and double-click on Find.bat to run it. When the command window first opens, it will say "File not found". Ignore that and let it continue to run until it finishes. It may take it a few minutes. It will open an Output.txt file when it completes. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #12 ·
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\JIM\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 2C07-BB6F

Directory of C:\WINNT\System32

01/07/2005 11:19a dllcache
12/22/2004 01:19p 389,120 l?***.exe
1 File(s) 389,120 bytes
1 Dir(s) 20,266,873,856 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 2C07-BB6F

Directory of C:\WINNT\System32

01/07/2005 11:19a dllcache
12/22/2004 01:19p 389,120 l?***.exe
02/11/2001 02:00p GroupPolicy
02/11/2001 01:54p 21,692 folder.htt
02/11/2001 01:54p 271 desktop.ini
3 File(s) 411,083 bytes
2 Dir(s) 20,266,873,856 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 2C07-BB6F

Directory of C:\WINNT\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 2C07-BB6F

Directory of C:\WINNT\System32

12/07/1999 12:00p 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 20,266,869,760 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"Logoff"="NavLogoffEvent"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

------------------ Locate.com Results ------------------

C:\WINNT\SYSTEM32\
lass~1.exe Wed Dec 22 2004 1:19:40p ..SHR 389,120 380.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 389,120 bytes 380.00 K

------------ Strings.exe Qoologic Results ------------

C:\WINNT\system32\almauq.exe: updates.qoologic.com
C:\WINNT\system32\ibnnoo.dll: updates.qoologic.com
C:\WINNT\system32\loqqyy.dll: updates.qoologic.com
C:\WINNT\system32\lwaazz.exe: updates.qoologic.com
C:\WINNT\system32\niunpa.dll: updates.qoologic.com
C:\WINNT\system32\qlzqup.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINNT\system32\gvoguk.exe: .aspack
C:\WINNT\system32\kwykuv.dat: .aspack
C:\WINNT\system32\wbkkaa.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ikpign.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"3Dlabs Taskbar Display Manager"="C:\\WINNT\\System32\\3DLman.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Synchronization Manager"="mobsync.exe /logon"
"Narrator"="C:\\WINNT\\system32\\gvoguk.exe"
"Spyware Nuker"="C:\\Program Files\\Spyware Nuker 2004\\swn2.exe /h"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


 

·
Registered
Joined
·
46,353 Posts
Click Here and download the the new version of Killbox and save it to your desktop.

Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINNT\system32\almauq.exe

C:\WINNT\system32\ibnnoo.dll

C:\WINNT\system32\loqqyy.dll

C:\WINNT\system32\lwaazz.exe

C:\WINNT\system32\niunpa.dll

C:\WINNT\system32\qlzqup.dll

C:\WINNT\system32\gvoguk.exe

C:\WINNT\system32\kwykuv.dat

C:\WINNT\system32\wbkkaa.dat

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ikpign.exe


After you paste the last file in Killbox and it asks you if you want to reboot now, Click Yes and let it reboot.

After it restarts, run find.bat again and post a new output.txt log and a new Hijack This log.

Also we need to remove the reg entries the trojan added. To get all the info I need for that, do the following:

Open Hijack This. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)" and "List empty sections (Complete)". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here as well.

Click here to download Silentrunners.zip.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it is finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

Click here to download track.zip. Unzip it to your desktop. Doubleclick on the track.vbs file and let it run. After it runs it will tell you to press any key to continue. Press any key and it will open a Look.txt file. Copy that and post it here as well. As I said with the last script you may get a warning. It is not malicious so you can allow it to run

To clarify, I want logs from all of the following:

HJT
HJT startuplist
Silentrunners
Track.vbs
Find.bat


*Note: There will be more here than you can post in one reply so it will be easier to just copy all the logs to one notepad file and name it info.txt. Save the file to your desktop and then attach it to your next post. It's probably overkill, but I like to doublecheck things.
 

·
Registered
Joined
·
18 Posts
Discussion Starter · #17 ·
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"3Dlabs Taskbar Display Manager"="C:\\WINNT\\System32\\3DLman.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Synchronization Manager"="mobsync.exe /logon"
"Narrator"="C:\\WINNT\\system32\\gvoguk.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}
C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- mtxxnn
{5f710dc1-e9b0-4468-b867-f4bebd65a43f}
C:\WINNT\system32\loqqyy.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WinZip\WZSHLSTB.DLL

Subkey --- xmkxyq
{ab6cd0b5-8b73-4caa-9278-f5fb2ad407cf}
C:\WINNT\system32\qlzqup.dll
-----------

System32 Dat Files

---------- C:\WINNT\SYSTEM32\DSSEC.DAT

---------- C:\WINNT\SYSTEM32\EMPTYREGDB.DAT

---------- C:\WINNT\SYSTEM32\FNTCACHE.DAT

---------- C:\WINNT\SYSTEM32\MLANG.DAT

---------- C:\WINNT\SYSTEM32\NOISE.DAT

---------- C:\WINNT\SYSTEM32\PERFC009.DAT

---------- C:\WINNT\SYSTEM32\PERFD009.DAT

---------- C:\WINNT\SYSTEM32\PERFH009.DAT

---------- C:\WINNT\SYSTEM32\PERFI009.DAT

"Silent Runners.vbs", revision 27, launched at: 09:19
Operating System: Windows 2000

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"ctfmon.exe" = "ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Iomega Startup Options" = "C:\Program Files\Iomega\Common\ImgStart.exe" ["Iomega Corporation"]
"Iomega Drive Icons" = "C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" ["Iomega Corp."]
"3Dlabs Taskbar Display Manager" = "C:\WINNT\System32\3DLman.exe" [null data]
"vptray" = "C:\Program Files\NavNT\vptray.exe" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Narrator" = "C:\WINNT\system32\gvoguk.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"Network.ConnectionTray" = "{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\system32\NETSHELL.dll" [MS]
"WebCheck" = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINNT\System32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
-> resolves to: {CLSID}\InprocServer32\(Default) = "stobject.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "NavLogon\DLLName" = "C:\WINNT\system32\NavLogon.dll" [null data]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts
Logon -> launches: "\\Pico.local\sysvol\Pico.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\Scripts\Logon\Login.bat" [(path error)]

Startup items in "jneher" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

COM+ Event System, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [MS]}
Computer Browser, Browser, "C:\WINNT\System32\services.exe" [MS]
DefWatch, DefWatch, "C:\PROGRA~1\NavNT\DefWatch.exe" ["Symantec Corporation"]
DHCP Client, Dhcp, "C:\WINNT\System32\services.exe" [MS]
Distributed Link Tracking Client, TrkWks, "C:\WINNT\system32\services.exe" [MS]
DNS Client, Dnscache, "C:\WINNT\System32\services.exe" [MS]
Event Log, Eventlog, "C:\WINNT\system32\services.exe" [MS]
IPSEC Policy Agent, PolicyAgent, "C:\WINNT\System32\lsass.exe" [MS]
Logical Disk Manager, dmserver, "C:\WINNT\System32\services.exe" [MS]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Net Logon, Netlogon, "C:\WINNT\System32\lsass.exe" [MS]
Network Connections, Netman, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\netman.dll" [MS]}
Plug and Play, PlugPlay, "C:\WINNT\system32\services.exe" [MS]
Print Spooler, Spooler, "C:\WINNT\system32\spoolsv.exe" [MS]
Protected Storage, ProtectedStorage, "C:\WINNT\system32\services.exe" [MS]
Remote Access Connection Manager, RasMan, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\rasmans.dll" [MS]}
Remote Procedure Call (RPC), RpcSs, "C:\WINNT\system32\svchost -k rpcss" {"C:\WINNT\system32\rpcss.dll" [MS]}
Remote Registry Service, RemoteRegistry, "C:\WINNT\system32\regsvc.exe" [MS]
Removable Storage, NtmsSvc, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\NtmsSvc.dll" [MS]}
RunAs Service, seclogon, "C:\WINNT\system32\services.exe" [MS]
Security Accounts Manager, SamSs, "C:\WINNT\system32\lsass.exe" [MS]
Server, lanmanserver, "C:\WINNT\System32\services.exe" [MS]
Still Image Service, StiSvc, "C:\WINNT\system32\stisvc.exe" [MS]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\NavNT\Rtvscan.exe" ["Symantec Corporation"]
System Event Notification, SENS, "C:\WINNT\system32\svchost.exe -k netsvcs" {"C:\WINNT\system32\sens.dll" [MS]}
Task Scheduler, Schedule, "C:\WINNT\system32\MSTask.exe" [MS]
TCP/IP NetBIOS Helper Service, LmHosts, "C:\WINNT\System32\services.exe" [MS]
Telephony, TapiSrv, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\tapisrv.dll" [MS]}
Windows Management Instrumentation, WinMgmt, "C:\WINNT\System32\WBEM\WinMgmt.exe" [MS]
Windows Management Instrumentation Driver Extensions, Wmi, "C:\WINNT\system32\Services.exe" [MS]
Windows Time, W32Time, "C:\WINNT\System32\services.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINNT\System32\mspmspsv.exe" [MS]
Workstation, lanmanworkstation, "C:\WINNT\System32\services.exe" [MS]
ZipToA, ZipToA, "C:\WINNT\System32\ZipToA.exe /S" ["Iomega Corporation"]
 

·
Registered
Joined
·
46,353 Posts
I am attaching a finalfix.zip file to this post. Download it and save it to your desktop.

Doubleclick on finalfix.reg to add it to the registry. Answer Yes to confirm.

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

O4 - HKLM\..\Run: [Narrator] C:\WINNT\system32\gvoguk.exe


Restart your computer.

Go here and download Ad-Aware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
 

Attachments

·
Registered
Joined
·
18 Posts
Discussion Starter · #19 ·
flrman1,
We have been up and running free from all the crap since doing the final fix this AM. Thank you for all of your help. I will be making a donation ASAP!

PIJim
 
1 - 20 of 22 Posts
Status
Not open for further replies.
Top