# trojan horse dropper.small.9.AQ



## elvinj (Feb 8, 2005)

avg detected trojan horse dropper.small.9.AQ .
here is a copy of the logfile that "hijackthis" found

Logfile of HijackThis v1.99.0
Scan saved at 2:29:26 PM, on 2/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: Name - {1BE78FFA-56C3-4E27-8FC5-0A1306D4A2F1} - C:\WINDOWS\System32\msktf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B4659A-EBD9-45CD-B683-6F346EDAE470}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

according to a forum i found posted on castlecops.......

http://castlecops.com/postp444137.html

i have a feeling that R1 through O2 (from my logfile above)should be checked to be fixed on my "hijackthis" software but i don't want to make these changes as i don't fully understand the consequences.

please help with full instructions such as was posted for someone's similar problem on castlecops. thought i would give techguy a shot at it before posting on castlecops as they have a screwed up "lost password" process. i would need to create a new email cuz i 4got my nickname for that site and i heard you techguy is just as good.

thanks in advance


----------



## Dust Sailor (Mar 17, 2004)

Go to add/remove and remove search assistant

http://forums.techguy.org/t110854.html

Go here and download Cool web search and removal tool Follow the directions and do a "FIX "

Follow the above link and dpownload Spybot Search and Destroy and Ad-Aware SE 
UPDATE them both and do a scan getting rid of all they find

Do a scan with Housecall and Panda

Reboot and post another Hijack This log here please


----------



## Dust Sailor (Mar 17, 2004)

You should have AVG running at startup to give you good protection


----------



## elvinj (Feb 8, 2005)

search assistant was not found in add/remove programs......ok, here is my new logfile, i am still getting pop-ups but adaware, etc didn't get it all i guess. more help?

Logfile of HijackThis v1.99.0
Scan saved at 1:27:33 PM, on 2/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\smbdins.exe
C:\WINDOWS\System32\sethcd.exe
C:\WINDOWS\System32\tsmsetup.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp2.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31


----------



## Dust Sailor (Mar 17, 2004)

Go to windows updates and get all critical updates except SP2


----------



## cybertech (Apr 16, 2002)

Hi elvinj, Welcome to TSG!! 

Download the Pocket KillBox

Unzip the files to your desktop.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu will come up where you can choose to enter Safe Mode.

Run KillBox.exe.

Select the Delete on Reboot option.
In the Full Path of File to Delete field paste each of the paths below and click the red circle with the white X in it, when it asks you to reboot, click *No.*

*C:\WINDOWS\System32\smbdins.exe

C:\WINDOWS\System32\sethcd.exe

C:\WINDOWS\System32\tsmsetup.exe
*

Close Killbox.

*Run HJT again and put a check in the following:*

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp2.dll (file missing)

*Close all applications and browser windows before you click "fix checked".*

Reboot.

Go to Internet Options, Programs
Click the "Reset Web Settings" Button to reset your home and search pages.

Download Adaware SE http://lavasoft.element5.com/software/adaware/

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window: Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Reboot and post another HJT log for review.


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.0
Scan saved at 10:22:01 PM, on 2/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

i think you got it thank you in advance but lemme know if it all checks out after you review it.........thanks again, you rock


----------



## elvinj (Feb 8, 2005)

ooops, looks like i am still getting the same pop ups. something for online casino and then a smaller popup comes up saying i have spyware. (advertisment) i hate that these people can infect my system like they just walked in my house. should be ILLEGAL , anyway, any more ideas?


----------



## cybertech (Apr 16, 2002)

*Run HJT again and put a check in the following:*

O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31

*Close all applications and browser windows before you click "fix checked".*

Let me know if that works.


----------



## elvinj (Feb 8, 2005)

did not work
here is a new logfile
please help, i get popups that my girlfriend will not appreciate.
HELP




Logfile of HijackThis v1.99.0
Scan saved at 1:24:21 PM, on 2/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\sethcd.exe


----------



## cybertech (Apr 16, 2002)

That's not the entire log but you have new malware running.

Run Spybot and make sure to get the updates and use the immunize feature.

Download AdAware SE Personal: http://www.lavasoftusa.com/support/download/

Install the program and launch it.

On the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

In the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Reboot and post another log.


----------



## elvinj (Feb 8, 2005)

spybot gets rid of 5 dso exploit entries and then they come right back after restart.
adaware finds nothing. 
the spybot registry changes are as follows:

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1004336348-484763869-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

here is my hijackthis logfile before spybot temporarily gets rid of the dso exploits:

Logfile of HijackThis v1.99.0
Scan saved at 9:41:52 PM, on 2/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\sprmover.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

and after(i don't know if there is a difference):

Logfile of HijackThis v1.99.0
Scan saved at 9:43:29 PM, on 2/15/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\sprmover.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

i do appreciate your prompt replys. any other suggestions?


----------



## elvinj (Feb 8, 2005)

zone alarm says winwiz32.exe is trying to access (whatever that is), a window called "system guard" pops up with no information aside from next and cancel (very fishy). it has a medical looking logo like something from an ambulance. a small window pops up as well on a regular basis saying my computer may be at risk. these are obviosly the products of some type of malware, etc. feable attempts to get me to purchase anti spy software that THEY installed. anyway, this is all still happening after running ad aware, spybot, avg and deleting any entries you told me to try to delete on hijack this. i really need some more help.


----------



## elvinj (Feb 8, 2005)

i just ran avg and it found and deleted trojan 9 AQ but i got a XXX popup soon after. should i run these programs (avg, spybot, etc.)in another order in safe mode? i think "trojan dropper 9.AQ" is dropping more malware somehow but how? this thing is a *****.............................


----------



## cybertech (Apr 16, 2002)

The DSO exploit thing is a bug in this version of Spybot.

Search your hard drive for winwiz32.exe, make sure all files and folders are showing. If you find it please zip the file and send it to [email protected] also put a link to this thread in the e-mail so I'll remember where the file came from.

Also reboot to safe mode and rename the file to winwiz32.old until we find out what it is. I suspect it's related to the O17's that you can not remove.


----------



## cybertech (Apr 16, 2002)

Thanks, got the file. Were you able to rename it?


----------



## elvinj (Feb 8, 2005)

i was able to rename the file but i forgot to do so in safe mode. was that a problem?


----------



## cybertech (Apr 16, 2002)

No I think that's good!! I sent the file to the powers that be so I'll let you know about that when I hear back.

Now try to remove those O17's with the file renamed...

*Run HJT again and put a check in the following:*

O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31

*Close all applications and browser windows before you click "fix checked".*


----------



## dvk01 (Dec 14, 2002)

The file you sent was not the winwiz32.exe file but was a copy from the prefetch folder so is useless& doesn't tell us anything

It is likely to still be running on ythe computer and causing your problems

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\sethcd.exe
C:\WINDOWS\System32\winwiz32.exe

then post a new hjt log using the latest version of HJt 1.99.1 which shows a few additional places


----------



## elvinj (Feb 8, 2005)

the following files could not be deleted by killbox:

C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\sethcd.exe
C:\WINDOWS\System32\winwiz32.exe

this is all 3 you suggusted trying

now here is a hijackthis logfile after deleting the 017s that cybertech suggested:

Logfile of HijackThis v1.99.1
Scan saved at 10:03:12 PM, on 2/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\smbdins.exe
C:\WINDOWS\System32\sethcd.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B4659A-EBD9-45CD-B683-6F346EDAE470}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

i believe they come back after restart so i will post another hjt logfile in a few minutes. if not after startup, then they will be sure to come back soon.
i don't know where to find the original winwiz32 file. what next?


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 10:36:16 PM, on 2/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\sprmover.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## dvk01 (Dec 14, 2002)

download http://www.thespykiller.co.uk/files/fixhx.reg and put it on desktop then double click it and say yes to the message to merge with registry

now go to start/ run and paste in this line
sc delete winlow
and press OK or enter

repeat for
sc delete vdmt16

now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, but if it says unable to delete file then select delete on reboot BUT DO NOT let it reboot yet

C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\sethcd.exe
C:\WINDOWS\System32\winwiz32.exe
c:\windows\system32\klogini.dll
c:\windows\system32\p2.ini
c:\windows\system32\ps.a3d
c:\windows\system32\vdnt32.sys
c:\windows\system32\vdmt16.sys
c:\windows\system32\winlow.sys
c:\windows\system32\klo5.sys
c:\windows\system32\drct16.dll
C:\WINDOWS\System32\DSMANA~1.DLL
c:\windows\system32\mszx23.exe

now reboot

I'm sure a lot of the files won't be there so don't worry if they aren't


----------



## elvinj (Feb 8, 2005)

the link posted at the beginning of the last reply was a link to some text. maybe i don't understand something about what to do with that. please explain. thanks.


----------



## elvinj (Feb 8, 2005)

i figured out what to do. i merged your reg. changes and followed the rest of the instructions. should i expect this to work for sure? i have had no problems yet but it has only been 5 minutes so far. i guess i will keep you informed. thanks a bunch.


----------



## dvk01 (Dec 14, 2002)

OK 

reboot 2 or 3 times and see if they come back this time


----------



## elvinj (Feb 8, 2005)

i still get spyware remover ads and that "system guard" popups. here is a hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:02:12 AM, on 2/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\Propellerhead\Reason\Reason.exe
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\smbdins.exe
C:\WINDOWS\System32\sethcd.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B4659A-EBD9-45CD-B683-6F346EDAE470}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## elvinj (Feb 8, 2005)

looks like nothing is fixed. i have just officially recieved all of the popups from before.


----------



## dvk01 (Dec 14, 2002)

Looks like you have the ntrootkit trojan pest, rather than the fix I gave before. So many of the symptoms are similar with overlapping files 

I'm looking for the latest fix for this one as it keeps changing to take account of the new files and versions of it and will be back soon


----------



## elvinj (Feb 8, 2005)

thanks


----------



## dvk01 (Dec 14, 2002)

I'm sure you ahave a newer version of this pest & I've put a message out for the guys who developed the original fix as that one has been removed from it's site so I assume thay are updating it to take account of this one


----------



## dvk01 (Dec 14, 2002)

can you i the mean time

open killbox and press file, and then press open !submit and see what files are in there

if there are any files at all please upload them to

please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

so we can see what changes these pests have made


----------



## elvinj (Feb 8, 2005)

killbox would not open a directory until i delete a file.


----------



## dvk01 (Dec 14, 2002)

So what happened when I told you to delete some files with killbox previously

reboot twice so we can make sure we can see all the files and then post a fresh HJT log and we'll start again


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 2:01:27 PM, on 2/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\ipconfig.exe
C:\WINDOWS\System32\winwiz32.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\smbdins.exe
C:\WINDOWS\System32\sethcd.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B4659A-EBD9-45CD-B683-6F346EDAE470}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## dvk01 (Dec 14, 2002)

Ok what we need you to do is

Do this please. Download this zipped file
http://skads.org/special/rkfiles.zip

Unzip the files inside to a folder of its own.
it has to be ran in safe mode for it to work correctly.
Reboot into safe mode

Open the folder and run the RKFILES.BAT, sit back and wait untill its finished, when
it is finaly finished a text will open. close it.
Make a log with hijackthis while still in safe mode.

Restart back to a normal windows session:
Post the text located here C:\Log.txt please and that hijackthis log made in safe mode.

once we see the log we can then add any files found to the next program that we will tell you to download


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 5:08:28 PM, on 2/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: Name - {1BE78FFA-56C3-4E27-8FC5-0A1306D4A2F1} - C:\WINDOWS\System32\msktf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

C:\Documents and Settings\Administrator\Desktop\New Folder

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\system32\sethcd.exe: UPX!
C:\WINDOWS\system32\smbdins.exe: UPX!
C:\WINDOWS\system32\tsmsetup.exe: UPX!
C:\WINDOWS\system32\upncont.exe: UPX!
C:\WINDOWS\system32\winwiz32.exe: UPX!
C:\WINDOWS\system32\wowdbe.exe: UPX!
C:\WINDOWS\system32\sprestrst.exe: FSG!
C:\WINDOWS\system32\sprmover.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
Finished
bye


----------



## elvinj (Feb 8, 2005)

so what now?


----------



## dvk01 (Dec 14, 2002)

please download www.thespykiller.co.uk/files/rem3velvin.exe

and save it on your desktop. Double click it it will self extract the Zip file to c:\ms4hd.

Boot your computer into Safe Mode. Instructions on how to do this can be found here:

*How to boot Windows into Safe Mode*

Navigate to c:\ms4hd and double-click on the remv3.bat file. When it is done it will open a log file of what it found. This log file is saved in c:\log.txt.

Reboot your computer back to normal mode and post the contents of c:\log.txt. To open it, click on start, then run, and type *notepad c:\log.txt* and press the OK button.

A notepad will open up. Please create a reply to this message and post the contents of that notepad along with a new hijackthis log.


----------



## elvinj (Feb 8, 2005)

Files Found.................
----------------------------------------
run_dos.dll
rdspclips.exe
sethcd.exe
smbdins.exe
sprestrst.exe
sprmover.exe
tsmsetup.exe
upncont.exe
wowdbe.exe
winwiz32.exe

Files Not deleted.................
----------------------------------------

Merging registry entries
----------------------------------------------------------------- 
The Registry Entries Found... 
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
----------------------------------------------------------------- 
msi.dll
Finished

Logfile of HijackThis v1.99.1
Scan saved at 1:38:14 PM, on 2/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: Name - {1BE78FFA-56C3-4E27-8FC5-0A1306D4A2F1} - C:\WINDOWS\System32\msktf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## dvk01 (Dec 14, 2002)

It Should just be a clear up now

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: Name - {1BE78FFA-56C3-4E27-8FC5-0A1306D4A2F1} - C:\WINDOWS\System32\msktf.dll

O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe

O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.176.156,195.225.176.31

now run killbox and paste The FIRST ONE of these lines into the box, select standard file delete then press the red X button,say yes to the prompt

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, don't worry, if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\System32\msktf.dll

Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then reboot and post a fresh HJT log please


----------



## elvinj (Feb 8, 2005)

the following were not in my hijackthis logfile:

O2 - BHO: Name - {1BE78FFA-56C3-4E27-8FC5-0A1306D4A2F1} - C:\WINDOWS\System32\msktf.dll

O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe

O4 - HKLM\..\Run: [sprmover.exe] sprmover.exe

i pasted in killbox the following:

C:\WINDOWS\System32\msktf.dll

and it could not be deleted.

i may not understand your instructions. are the "lines" you wanted posted in killbox the entries for hijackthis? if not the only line i saw for pasting in killbox was
C:\WINDOWS\System32\msktf.dll
i pasted the entries in hjt and none were found. i pasted C:\WINDOWS\System32\msktf.dll
and i could not delete. can you explain?

anyway, i deleted temp files from killbox and i will now reboot and post a log in a few minutes.


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 10:52:18 PM, on 2/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\sprmover.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## dvk01 (Dec 14, 2002)

I don't know why it was in the in the hjt log but I assume that after we fixed the main problem we removed the rootkit that was hiding lsome entries

when Killbox says file doesn't exist that is good, we like to make sure that any bad file showing in hjt is deleted and not just the entry removed

Turn off system restore by following instructions here 
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here* http://forums.techguy.org/t208517/s.html *for info on how to tighten your security settings and how to help prevent future attacks.

and pay an urgent visit to windows update & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
it is vital that you go here, click Scan for updates in the main frame, and download and install *all* CRITICAL updates recommended.


----------



## elvinj (Feb 8, 2005)

i am sad to say that i still have the bug. all the same annoying pop ups just came up again. here is a hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 4:49:37 AM, on 2/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\Audacity\audacity.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\smbdins.exe
C:\WINDOWS\System32\sethcd.exe
C:\Program Files\ImTOO\Audio Encoder\audioenc.exe
C:\Program Files\Ahead\Nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B4659A-EBD9-45CD-B683-6F346EDAE470}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## dvk01 (Dec 14, 2002)

I can''t see why this one won't fix, but there must be soem new files to it 

I have asked the person who developed the fix to look at iy and see what they can suggest so give us a day or so & if you don't hear anythimg then remind us please


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 1:58:18 PM, on 2/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\explorer.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\sethcd.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7B4659A-EBD9-45CD-B683-6F346EDAE470}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## Mosaic1 (Aug 17, 2001)

May I ask you to run some tests and post the results please?

PV is a utility to find which dlls are loaded under an exe.

Download pv.zip here
http://www.downloads.subratam.org/pv.zip

Extract to its own folder. Be sure at least one Internet Explorer window is open when you run this.

Double click on runme.bat Do not touch anything else in the folder. The other files are not going to be used here.

Type 2 and press enter to get a log of what is loaded under Iexplore.exe (Internet Explorer)

The log will open. Copy and paste its contents into your next reply.
When you run this again your old log will be destroyed. To save it, rtname it before you close it.

To see what is running under Explorer.exe double click on runme.bat. This time 
Type 1 and press enter. Copy and paste the contents of the new log into your next reply.


----------



## Mosaic1 (Aug 17, 2001)

This next will only work if you have an English version of windows. If you do, please continue. If not, post back to let me know.

I am uploading a zip file. Please download and Extract the file it contains. Extract the file to a new folder of its own please.

The script is named:
Nested if's get atts.vbs

Double click on *Nested if's get atts.vbs*

An Input Box will appear.

Type this path and press ok:
C:\WINDOWS\System32

This is going to take a few minutes to run. If you get a warning from your Anti Virus please allow this to run. It is not malicious in any way.

When it has finished it will opne a text file named attribute.txt

Don't copy and paste it. It will be rather large. It takes an expert to read and analyze correctly. Save it as *System32 atts.txt*

Upload it in your next reply as an attachment.

After you have finished, run the script again. This time paste this into the input box:

C:\windows

When it has finished, save as atts windows.txt and attach in yet another reply please.


----------



## Mosaic1 (Aug 17, 2001)

One more quick file to look at please. I am uploading another zip. Create a folder on the desktop. Name it get bhos. Extract the contents ot eh zup to that folder. 


This contain a simple batch file named:
Get Bho Hive.bat

Double click on Get Bho Hive.bat

It will produce a file named Bho.txt in that same folder. Don't copy and paste. this is a Binary file and will not only look odd, but also it will cause a huge scroll on this page making it hard to read.

Attach bho.txt into ytour next reply here.


----------



## Mosaic1 (Aug 17, 2001)

If yoou od come back i would also like to see what happens if we terminate some processes as the first step in the removal process.

C:\WINDOWS\System32\sprmover.exe
C:\WINDOWS\System32\sethcd.exe

But we would need to see your latest Hijackthis log first and then go from there.


----------



## elvinj (Feb 8, 2005)

pv2:


Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 917504 C:\WINDOWS\system32\kernel32.dll 5.1.2600.153 (xpclnt_qfe.021108-2107) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.152 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
GDI32.dll 77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.151 (xpclnt_qfe.021108-2107) GDI Client DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
SHLWAPI.dll 772d0000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2750.167 (xpclnt_qfe.040728-2019) Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1343488 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2750.167 Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
hdrsb.dll 10000000 32768 C:\WINDOWS\System32\hdrsb.dll 
SHELL32.dll 773d0000 8318976 C:\WINDOWS\system32\SHELL32.dll 6.00.2750.166 (xpclnt_qfe.040728-2019) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINDOWS\system32\uxtheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53 
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42 
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
msktf.dll b70000 32768 C:\WINDOWS\System32\msktf.dll 
SDHelper.dll e90000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2745.2300 OLE32 Extensions for Win32
shdoclc.dll 1100000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
NETAPI32.dll 71c20000 315392 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
TAPI32.dll 76eb0000 172032 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.0 (XPClient.010817-1148) SENS Connectivity API DLL
msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
SXS.DLL 75e90000 663552 C:\WINDOWS\System32\SXS.DLL 5.1.2600.136 (xpclnt_qfe.021108-2107) Fusion 2.5
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
mshtml.dll 63580000 2785280 C:\WINDOWS\System32\mshtml.dll 6.00.2745.2800 Microsoft (R) HTML Viewer
msimtf.dll 746f0000 167936 C:\WINDOWS\System32\msimtf.dll 5.1.2600.0 (xpclient.010817-1148) Active IMM Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
jscript.dll 75c50000 593920 C:\WINDOWS\System32\jscript.dll 5.6.0.6626 Microsoft (r) JScript
iepeers.dll 66e50000 241664 C:\WINDOWS\System32\iepeers.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Explorer Peer Objects
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
dxtrans.dll 6bdd0000 208896 C:\WINDOWS\System32\dxtrans.dll 6.00.2600.0000 (xpclient.010817-1148) DirectX Media -- DirectX Transform Core
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
ddrawex.dll 6d430000 36864 C:\WINDOWS\System32\ddrawex.dll 5.1.2600.0 (xpclient.010817-1148) Direct Draw Ex
DDRAW.dll 73760000 282624 C:\WINDOWS\System32\DDRAW.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft DirectDraw
DCIMAN32.dll 73bc0000 24576 C:\WINDOWS\System32\DCIMAN32.dll 5.1.2600.0 (xpclient.010817-1148) DCI Manager
dxtmsft.dll 6be10000 348160 C:\WINDOWS\System32\dxtmsft.dll 6.00.2600.0000 (xpclient.010817-1148) DirectX Media -- Image DirectX Transforms
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft (R) HTML Editing Component



pv1:



Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 917504 C:\WINDOWS\system32\kernel32.dll 5.1.2600.153 (xpclnt_qfe.021108-2107) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 454656 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.135 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
GDI32.dll  77c70000 253952 C:\WINDOWS\system32\GDI32.dll 5.1.2600.151 (xpclnt_qfe.021108-2107) GDI Client DLL
USER32.dll 77d40000 548864 C:\WINDOWS\system32\USER32.dll 5.1.2600.152 (xpclnt_qfe.021108-2107) Windows XP USER API Client DLL
SHLWAPI.dll 772d0000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2750.167 (xpclnt_qfe.040728-2019) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8318976 C:\WINDOWS\system32\SHELL32.dll 6.00.2750.166 (xpclnt_qfe.040728-2019) Windows Shell Common Dll
ole32.dll 771b0000 1126400 C:\WINDOWS\system32\ole32.dll 5.1.2600.136 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2737.1600 Shell Browser UI Library
SHDOCVW.dll 71700000 1343488 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2750.167 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 7c620000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53 
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42 
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
USERENV.dll 75a70000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.0 (xpclient.010817-1148) Userenv
netapi32.dll 71c20000 315392 C:\WINDOWS\System32\netapi32.dll 5.1.2600.122 (xpclnt_qfe.021108-2107) Net Win32 API DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
RASAPI32.dll 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows(TM) Telephony API Client DLL
WINMM.dll 76b40000 180224 C:\WINDOWS\system32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.137 (xpclnt_qfe.021108-2107) ASN.1 Runtime APIs
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 61440 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.165 (xpclnt_qfe.040728-2019) Windows Volume Tracking
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 49152 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.165 (xpclnt_qfe.040728-2019) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
WININET.dll 63000000 610304 C:\WINDOWS\system32\WININET.dll 6.00.2737.800 Internet Extensions for Win32
msktf.dll 10000000 32768 C:\WINDOWS\System32\msktf.dll 
SDHelper.dll 1820000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2745.2300 OLE32 Extensions for Win32
dBShell.dll 1a60000 114688 C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll 6, 0, 0, 1 dBShell Module
DUSER.dll 6c1b0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine
rarext.dll 1e00000 176128 C:\Program Files\WinRAR\rarext.dll 
avgse.dll 621a0000 57344 C:\Program Files\Grisoft\AVG Free\avgse.dll 7,1,0,285 AVG Shell Extension
MSVCP71.dll 7c3a0000 503808 C:\WINDOWS\System32\MSVCP71.dll 7.10.3077.0 Microsoft® C++ Runtime Library
MSVCR71.dll 7c340000 352256 C:\WINDOWS\System32\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
SXS.DLL 75e90000 663552 C:\WINDOWS\System32\SXS.DLL 5.1.2600.136 (xpclnt_qfe.021108-2107) Fusion 2.5
shdoclc.dll 22b0000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
mydocs.dll 72410000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-1148) My Documents Folder UI
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL


----------



## elvinj (Feb 8, 2005)

here it is


----------



## elvinj (Feb 8, 2005)

this is all i got from running script on C:\windows:

2/22/2005 9:37:35 PM
List of possible non MS apps and dll's in
C:\windows


List of hidden files in C:\windows


----------



## Mosaic1 (Aug 17, 2001)

I am here and reading. I'll post shortly. Can you wait a bit?

Also, can you run the batch I sent? I need to see bho.txt to determine something. Thanks.


----------



## Mosaic1 (Aug 17, 2001)

Please go to Folder Options to the View Tab.

Be sure the Hide Extensions for known file types is unchecked. Then run the script again for the Windows directory and for system32 please.


----------



## Mosaic1 (Aug 17, 2001)

I'm not sure that will help. It seems you have two files we know of running and are invisible to Windows. We have to disable the rootkit again and then clean again.


----------



## elvinj (Feb 8, 2005)

i never got Get Bho Hive.bat. in post 49 you said you were uploading it but there was no attachment.


----------



## Mosaic1 (Aug 17, 2001)

I'm sorry. Here you are. I am about to sign off here. It's very late. But I'd like to see it before I leave. I'll let you nkow what I find if anything.


----------



## elvinj (Feb 8, 2005)

how do we disable the rootkit and clean?


----------



## Mosaic1 (Aug 17, 2001)

We can do it by terminating certain processes and adding file names to something you have already run. I am too tired to continue tonight. But I do please want to see your bho.txt before I leave.


----------



## Mosaic1 (Aug 17, 2001)

Are you still there? I have been waiting to see that bho.txt file please. I am trying to work out a plan to try and help. Right after you post bho.txt

Click here to download pskill.zip
http://www.sysinternals.com/files/pskill.zip

Extract pskill.exe to your system32 folder. It is a zip and the exe must be extracted to system32 for this to have any chance of working.


----------



## Mosaic1 (Aug 17, 2001)

Did you see the attchment? I attached it but you posted and so may have missed it.
http://forums.techguy.org/attachment.php?attachmentid=50682


----------



## Mosaic1 (Aug 17, 2001)

I am not sure this will work by itself. But let's try it this way first and see. If not, then it can supplement something else later. Don't worry about that.

Assuming you now have pskill.exe in your system32 folder, I have created a file. I wish I had the bho.txt, but we'll have to do without it.

Download the zip I have attached.

Extract the Batch file it contains to its own folder and be ready to Restart the computer.

Sign off the internet and unplpug your modem.

Doulbe click on *deletethem.bat*

This is going to kill explorer and iexplore plus a few other things. Your screen will be empty. The Command will then attempt to delete some files.

At the end Task Manager will come up.

Use it to shut down the computer completely. Click Shut Down on its toolbar and then Turn Off.

Plug your Modem back in and Restart into Windows.

Post a new Hijackthis log.

This batch also created a new file named Deletions.txt in the folder from which you ran deletethem.bat Please copy and paste the contents of that file as well.


----------



## elvinj (Feb 8, 2005)

ok,gimme a sec


----------



## elvinj (Feb 8, 2005)

here is bho.text


----------



## elvinj (Feb 8, 2005)

2/23/2005 12:47:56 AM
List of possible non MS apps and dll's in
C:\WINDOWS\System32


Name: a3d.dll
Size: 48 KB
Type: Application Extension
Date Modified: 9/11/2001 6:05 AM
Date Created: 1/10/2005 7:55 PM
Attributes: RA
Owner: BRIAN-3Q7QF5MCR\Administrator
Description: a3dx5
File Version: 80.0.0.3
Product Name: a3dx5

Name: append.exe
Size: 13 KB
Type: Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators

Name: ati2cqag.dll
Size: 224 KB
Type: Application Extension
Date Modified: 6/10/2004 7:25 AM
Date Created: 6/10/2004 7:25 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: Central Memory Manager / Queue Server Module
File Version: 6.14.10.244
Product Name: ATI Radeon Family

Name: ati2dvag.dll
Size: 203 KB
Type: Application Extension
Date Modified: 6/10/2004 8:57 AM
Date Created: 6/10/2004 8:57 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: ATI Radeon WindowsNT Display Driver
File Version: 6.14.10.6458
Product Name: ATI Radeon WindowsNT Display Driver

Name: ati2edxx.dll
Size: 30 KB
Type: Application Extension
Date Modified: 6/10/2004 8:46 AM
Date Created: 6/10/2004 8:46 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies, Inc.
Description: ati2edxx
File Version: 6.14.10.2494
Product Name: ATI External Device Utility

Name: ati2evxx.dll
Size: 84 KB
Type: Application Extension
Date Modified: 6/10/2004 8:46 AM
Date Created: 6/10/2004 8:46 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: ATI External Event Utility DLL Module
File Version: 6.14.10.4103
Product Name: ATI External Event Utility for NT, W2K and W9X

Name: ati2evxx.exe
Size: 368 KB
Type: Application
Date Modified: 6/10/2004 8:44 AM
Date Created: 6/10/2004 8:44 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: ATI External Event Utility EXE Module
File Version: 6.14.10.4103
Product Name: ATI External Event Utility for WindowsNT and Windows9X

Name: Ati2mdxx.exe
Size: 64 KB
Type: Application
Date Modified: 6/10/2004 8:47 AM
Date Created: 6/10/2004 8:47 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies, Inc.
Description: ATI2MDXX
File Version: 6.14.10.2494
Product Name: ATI Default Resolution Update

Name: ati2sgag.exe
Size: 504 KB
Type: Application
Date Modified: 6/10/2004 9:10 PM
Date Created: 2/12/2005 12:20 AM
Owner: BRIAN-3Q7QF5MCR\Administrator
Description: ATI Smart
File Version: 5.13.1.20
Product Name: ATI Smart

Name: ati3duag.dll
Size: 2,106 KB
Type: Application Extension
Date Modified: 6/10/2004 8:31 AM
Date Created: 6/10/2004 8:31 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: ati3duag.dll
File Version: 6.14.10.247
Product Name: ATI Technologies Inc. Radeon DirectX Universal Driver

Name: ATIDDC.DLL
Size: 80 KB
Type: Application Extension
Date Modified: 6/10/2004 8:44 AM
Date Created: 6/10/2004 8:44 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: atiddc
File Version: 6.14.10.5
Product Name: ATI Radeon Family

Name: ATIDEMGR.dll
Size: 128 KB
Type: Application Extension
Date Modified: 6/10/2004 11:27 AM
Date Created: 2/12/2005 12:19 AM
Attributes: RA
Owner: BRIAN-3Q7QF5MCR\Administrator
File Version: 1.0.1623.815

Name: atiiiexx.dll
Size: 288 KB
Type: Application Extension
Date Modified: 6/10/2004 11:54 AM
Date Created: 2/12/2005 12:19 AM
Attributes: RA
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: .INF file installer
File Version: 6.14.10.4003
Product Name: ATI Display Driver Utilities

Name: atioglxx.dll
Size: 6,372 KB
Type: Application Extension
Date Modified: 6/10/2004 9:43 AM
Date Created: 6/10/2004 9:43 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: ATI OpenGL driver
File Version: 6.14.10.4454
Product Name: ATI OpenGL driver

Name: atipdlxx.dll
Size: 116 KB
Type: Application Extension
Date Modified: 6/10/2004 8:47 AM
Date Created: 6/10/2004 8:47 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies, Inc.
Description: ATI Desktop CWDDEDI DLL
File Version: 6.14.10.2490
Product Name: ATI Desktop Component

Name: atitvo32.dll
Size: 17 KB
Type: Application Extension
Date Modified: 6/10/2004 7:35 AM
Date Created: 6/10/2004 7:35 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: ATI RageTheater/ImpacTV2 COM interface
File Version: 6.14.10.4100
Product Name: ATI RageTheater/ImpacTV COM interface

Name: ativcoxx.dll
Size: 24 KB
Type: Application Extension
Date Modified: 11/8/2001 9:01 PM
Date Created: 11/8/2001 9:01 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies, Inc.
Description: 32-bit ATI VCO Driver
File Version: 6.13.10.5

Name: ativvaxx.dll
Size: 507 KB
Type: Application Extension
Date Modified: 6/10/2004 7:51 AM
Date Created: 6/10/2004 7:51 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: ATI Technologies Inc.
Description: Radeon Video Acceleration Universal Driver
File Version: 6.14.1.20
Product Name: ATI Technologies Inc. Radeon Video Acceleration Universal Driver

Name: atmfd.dll
Size: 267 KB
Type: Application Extension
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators
Company: Adobe Systems Incorporated
Description: Windows NT OpenType/Type 1 Font Driver
File Version: 5.1.2.225
Product Name: Adobe Type Manager

Name: atmlib.dll
Size: 27 KB
Type: Application Extension
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators
Company: Adobe Systems
Description: Windows NT OpenType/Type 1 API Library.
File Version: 5.1.2.225
Product Name: Adobe Type Manager

Name: command.com
Size: 50 KB
Type: MS-DOS Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators

Name: compatUI.dll
Size: 233 KB
Type: Application Extension
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators
Description: CompatUI Module
File Version: 1.0.0.1
Product Name: CompatUI Module

Name: debug.exe
Size: 21 KB
Type: Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators

Name: deltapnl.dll
Size: 86 KB
Type: Application Extension
Date Modified: 12/6/2002 10:18 AM
Date Created: 1/20/2005 4:38 AM
Attributes: RA
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: Doug Fetter Software Wizardry
Description: M Audio Delta Control Panel Interface
File Version: 5.2.1.4
Product Name: M Audio Delta Control Panel Interface

Name: deltapnl.exe
Size: 1,081 KB
Type: Application
Date Modified: 12/6/2002 10:20 AM
Date Created: 12/6/2002 10:20 AM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: Doug Fetter Software Wizardry
Description: DeltaPnl MFC Application
File Version: 1.3.16.0
Product Name: M Audio Delta Control Panel Application

Name: deltasio.dll
Size: 20 KB
Type: Application Extension
Date Modified: 11/13/2003 10:22 AM
Date Created: 1/20/2005 4:38 AM
Attributes: RA
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: Midiman/M-Audio
Description: M-Audio Delta ASIO Support Library
File Version: 5.10.0.5034
Product Name: M-Audio Delta ASIO Support Library

Name: delttray.exe
Size: 55 KB
Type: Application
Date Modified: 12/6/2002 10:19 AM
Date Created: 1/20/2005 4:38 AM
Attributes: RA
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: Doug Fetter Software Wizardry
Description: M Audio Delta Control Panel Interface System Tray Applet
File Version: 5.1.0.1
Product Name: M Audio Delta Control Panel Interface System Tray Applet

Name: dgrpsetu.dll
Size: 173 KB
Type: Application Extension
Date Modified: 8/23/2001 6:00 AM
Date Created: 1/8/2005 6:57 AM
Attributes: A
Owner: Administrators
Company: Digi International, Inc.
Description: Digi RealPort® Driver Upgrade
File Version: 2.3.7.0
Product Name: Digi RealPort® Driver

Name: dgsetup.dll
Size: 84 KB
Type: Application Extension
Date Modified: 8/23/2001 6:00 AM
Date Created: 1/8/2005 6:57 AM
Attributes: A
Owner: Administrators
Company: Digi International
Description: DGSETUP DLL
File Version: 3.7.3.0
Product Name: DGSETUP Dynamic Link Library

Name: DivX.dll
Size: 700 KB
Type: Application Extension
Date Modified: 10/26/2004 4:38 PM
Date Created: 10/26/2004 4:38 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks, Inc.
Description: DivX® Codec for Windows
File Version: 5.2.1.1338
Product Name: DivX® Codec for Windows

Name: divxdec_0407.dll
Size: 92 KB
Type: Application Extension
Date Modified: 10/26/2004 4:38 PM
Date Created: 10/26/2004 4:38 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks, Inc.
Description: DivX® Decoder-Filter
File Version: 5.2.1.1328
Product Name: DivX® Decoder Filter

Name: divxdec_040c.dll
Size: 92 KB
Type: Application Extension
Date Modified: 10/26/2004 4:38 PM
Date Created: 10/26/2004 4:38 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks, Inc.
Description: Filtre décodeur DivX®
File Version: 5.2.1.1328
Product Name: Filtre décodeur DivX®


Name: divx_xx07.dll
Size: 202 KB
Type: Application Extension
Date Modified: 10/26/2004 4:38 PM
Date Created: 10/26/2004 4:38 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks, Inc.
Description: DivX® Codec für Windows
File Version: 5.2.0.1258
Product Name: DivX® Codec für Windows

Name: divx_xx0c.dll
Size: 202 KB
Type: Application Extension
Date Modified: 10/26/2004 4:38 PM
Date Created: 10/26/2004 4:38 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks, Inc.
Description: Codec DivX® pour Windows
File Version: 5.2.0.1258
Product Name: DivX® Codec pour Windows

Name: divx_xx11.dll
Size: 516 KB
Type: Application Extension
Date Modified: 10/26/2004 4:38 PM
Date Created: 10/26/2004 4:38 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks, Inc.
Description: DivXR Codec for Windows
File Version: 9.9.9.999
Product Name: DivXR Codec for Windows

Name: dosx.exe
Size: 53 KB
Type: Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators

Name: dpu10.dll
Size: 284 KB
Type: Application Extension
Date Modified: 10/26/2004 4:39 PM
Date Created: 10/26/2004 4:39 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks
Description: dpu10
File Version: 1.0.0.4
Product Name: DivXNetworks dpu10

Name: dpuGUI10.dll
Size: 588 KB
Type: Application Extension
Date Modified: 10/26/2004 4:39 PM
Date Created: 10/26/2004 4:39 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks
Description: dpuGUI10
File Version: 1.0.0.4
Product Name: DivXNetworks dpuGUI10

Name: dpus10.dll
Size: 328 KB
Type: Application Extension
Date Modified: 10/26/2004 4:39 PM
Date Created: 10/26/2004 4:39 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks
Description: dpus10
File Version: 1.0.0.4
Product Name: DivXNetworks dpus10

Name: dpv10.dll
Size: 52 KB
Type: Application Extension
Date Modified: 10/26/2004 4:39 PM
Date Created: 10/26/2004 4:39 PM
Attributes: A
Owner: BRIAN-3Q7QF5MCR\Administrator
Company: DivXNetworks
Description: dpv10
File Version: 1.0.0.4
Product Name: DivXNetworks dpv10

Name: dvdplay.exe
Size: 54 KB
Type: Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/17/2001 4:36 PM
Attributes: A
Owner: Administrators
Description: dvdplay placeholder Application
File Version: 1.0.0.2
Product Name: dvdplay Application

Name: edit.com
Size: 69 KB
Type: MS-DOS Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators

Name: edlin.exe
Size: 13 KB
Type: Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators

Name: EqnClass.Dll
Size: 101 KB
Type: Application Extension
Date Modified: 8/23/2001 6:00 AM
Date Created: 1/8/2005 6:57 AM
Attributes: A
Owner: Administrators
Company: Equinox Systems Inc.
Description: Equinox Multiport Serial Coinstaller
File Version: 5.0.21.58
Product Name: Equinox Multiport Serial Coinstaller

Name: exe2bin.exe
Size: 9 KB
Type: Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators

Name: fastopen.exe
Size: 1 KB
Type: Application
Date Modified: 8/23/2001 6:00 AM
Date Created: 8/23/2001 6:00 AM
Attributes: A
Owner: Administrators


----------



## Mosaic1 (Aug 17, 2001)

Thanks. Go ahead and get pskill if you haven't already. Now before you run this batch, I want yoyu to also disable your Anti Virus from scanning in the background. I don't want it interfering with the file deletions. It can do that if they become visible. 

bho.txt shows that you do have hidden bho's. Let's go for it and do the removal as uploaded. If it fails, we can try again tomorrow. I did this before and we had to remove the orphan bho keys later in that case.

Good luck.


----------



## elvinj (Feb 8, 2005)

well, i don't understand but here is another empty attribute text for windows

2/23/2005 12:50:23 AM
List of possible non MS apps and dll's in
C:\windows


List of hidden files in C:\windows


----------



## Mosaic1 (Aug 17, 2001)

Well, we tried but can't see anything. That's ok. Go back , read my instructoins and do the Removal ASAP before there are more changes made to your system. These things do not stay still. We are wasting time every minute you are connected to the internet.

I'll be back tomorrow.


----------



## elvinj (Feb 8, 2005)

here is the deletions text:

Could Not Find C:\WINDOWS\system32\prmover.exe
Could Not Find C:\WINDOWS\system32\sethcd.exe
Could Not Find C:\WINDOWS\system32\hdrsb.dll
Could Not Find C:\WINDOWS\system32\msktf.dll
Could Not Find C:\WINDOWS\system32\usrshutd.exe
Could Not Find C:\WINDOWS\system32\winmsdc.exe
Could Not Find C:\WINDOWS\system32\vwipxspnt.exe
Could Not Find C:\WINDOWS\system32\tlntadmnx.exe
Could Not Find C:\WINDOWS\system32\w32sxp.exe
Could Not Find C:\WINDOWS\system32\iecust.dll
Could Not Find C:\WINDOWS\system32\wncust.exe
Could Not Find C:\WINDOWS\system32\tcpsvcss.exe
Could Not Find C:\WINDOWS\system32\sp2chk.exe
Could Not Find C:\WINDOWS\system32\balloon.wav
Could Not Find C:\WINDOWS\system32\hdetn.dll
Could Not Find C:\WINDOWS\system32\hdfnh.dll
Could Not Find C:\WINDOWS\system32\hdfsd.dll
Could Not Find C:\WINDOWS\system32\hdrjz.dll
Could Not Find C:\WINDOWS\system32\hdrsz.dll
Could Not Find C:\WINDOWS\system32\hdtgn.dll
Could Not Find C:\WINDOWS\system32\iecust.dll
Could Not Find C:\WINDOWS\system32\iesp2.dll
Could Not Find C:\WINDOWS\system32\msfmb.dll
Could Not Find C:\WINDOWS\system32\netcgf.dll
Could Not Find C:\WINDOWS\system32\nlsfuncs.exe
Could Not Find C:\WINDOWS\system32\openconf.exe
Could Not Find C:\WINDOWS\system32\qwsxp.dll
Could Not Find C:\WINDOWS\system32\rdspclips.exe
Could Not Find C:\WINDOWS\system32\run_dos.dll
Could Not Find C:\WINDOWS\system32\sethcd.exe
Could Not Find C:\WINDOWS\system32\smbdins.exe
Could Not Find C:\WINDOWS\system32\sp2chk.exe
Could Not Find C:\WINDOWS\system32\sprestrst.exe
Could Not Find C:\WINDOWS\system32\sprmover.exe
Could Not Find C:\WINDOWS\system32\upncont.exe
Could Not Find C:\WINDOWS\system32\winwiz32.exe
Could Not Find C:\WINDOWS\system32\wowdbe.exe

and here is a hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:38:56 AM, on 2/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\WINDOWS\System32\sprmover.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

i believe most of the 017s were part of the problem from before. i had been advised to delete all but one of them on a few occasions days ago (earlier in this thread). this is the longest thread i have ever experienced. what next?


----------



## dvk01 (Dec 14, 2002)

hopefully now we have killed off the problem files we should be able to fix these iun hjt and they should stay fixed
O17 - HKLM\System\CCS\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{23C4DCAE-1AF2-4E2C-A0B2-E725527B3DDE}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797E854-C48F-4125-A689-254170631D7E}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B79A58B-3EC1-4DBD-A54F-50E2458AA192}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{A266F223-87D7-4F04-B846-BAD1373608F8}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4F3F3-CA8E-49C3-85A5-A58B1E99A154}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31
O17 - HKLM\System\CS2\Services\Tcpip\..\{14696981-1A94-4E83-BA99-55D4BA6E94C0}: NameServer = 69.50.188.180,195.225.176.31

also this has just been released to helpsearch for all known rootkits so try it

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

download and unzip it, double click on the rootkit revealer and press scan

It will take some time to do a complete scan and when finished press file/save and post the log

you would need to attach the log rather than copy & paste as it is likely to be too long for a copy & paste

IT will find a lot of things that are perfectly normal and innocent so DO NOT fix anything it finds without specific advice to do so from either Mosaic1 or me in this case please

as an example on my computer it 73,000 discrepencies all of which are innocent but where hidden to windows by design ( mostly NTFS hidden streams with kapersky)


----------



## dvk01 (Dec 14, 2002)

we still have the sprmover showing as running in the log though, so let's see what mosaic comes up with to get rid of that one, when she comes on abit later

and try this to clear the dodgy O17 entries

Go into NETWORK CONNECTIONS in control panel. Then right click on your default connection there and choose properties.
Then click on NETWORKING tab. Then click on INTERNET PROTOCOL. IN the window that comes up, click on the obtain DNS SERVER ADDRESS automatically radio button.
That may not be avaiable on some systems ^
Next Go to start/ run and type cmd and hit OK
on the black screen that comes up 
type
ipconfig /flushdns
then hit enter, type exit hit enter


----------



## Mosaic1 (Aug 17, 2001)

I am not sure anything was cleaned up. The Could not find message means that dos del couldn't find the files to clean. I did this before but used the utility you used earlier first and then tagged another batch onto the end of that to delete more files. Plus we didin't clean up any run entries, but they are gone. I am thinking this has hidden them to us again.


----------



## Mosaic1 (Aug 17, 2001)

I have gone back to the old thread where I removed one very similar to yours a while back and I can recreate the removal for you too if interested. This did involve a bit more than what we did in the middle of the night.


----------



## Mosaic1 (Aug 17, 2001)

This is what I did before and it worked. 
Let's see if it helps this time.
You may want to print out these instructions for your convenience.

Again this assumes that pskill.exe is in your system32 folder and that the files have not changed siubce yoyr last log was posted.

I am attaching a folder named Cleanit.zip

Extract the entire Cleanit folder it contains to your desktop.

You must be signed on to an account with Administrative priviledges for this removal to run properly.

Sign off the internet and unplug your modem.

This next part will open a special copy of regedit with system priviledges.

Close regedit first if you have it open or this will not work.

Be ready to restart. Close all other unneeded programs. Do not have Hijackthis open!

Open the Cleanit folder.

**Wait for the minute on your clock in systray to turn over.

Double click on click.bat It will run the scripts. If you get a message warning that a script is going to run please allow it to run. This is not malicious.

Do not click on Clickme.vbs

Do not click on go to reg key.vbs or any other file in this folder at this point.

Wait for the minute or so, you will see an input box. Paste in the registry key you want to jump to.

For you, that is this key:

*HKEY_CLASSES_ROOT\CLSID\{1BE78FFA-56C3-4E27-8FC5-0A1306D4A2F1}*

Regedit will open to that key. (You will have system Priviledges in this session of Regedit.)

Be sure the key highlighted in the registry is the one you want. Once in a while the registry may not open to the correct key.

When you are sure you are at the key you were instructed to paste in, then right click on that key and choose delete from the menu.

Now to delete another key:
Navigate to:
*HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects*

Right click on Browser Helper Objects and choose Delete from the menu.

Close the registry.

Go back to the Cleanit folder and double click:
remv3.bat

Let it run. When it finishes double click on
deletethem.bat

Let it run like you did before.

Restart into Safe Mode.

Run remv3.bat again.
Run deletethem.bat again

Run Hijackthis

Fix the 017's
There should not be any bho's listed in your log. 
I hope that there will be one or more new run entries now visible which weren't there before. Fix that too. You can open your old log and compare the run entries. Delete anything new. Save the log as Safe Hijackthis.log I may want to look at it later.

Shut down the computer and hook up your modem. 
Restart into regular windows.

Use the method to repair the 017's hijack as Advised earlier in this post. This is how we did it in the other thread too. Hijackthis didn't work to fix it. 
http://forums.techguy.org/showthread.php?p=2385255

Run Hijackthis and post your new log.

There will be more to do. But do this first and then I will ask to see the reports this generated.


----------



## Mosaic1 (Aug 17, 2001)

That method worked a month ago. We'll see if it still works. Good luck.


----------



## dvk01 (Dec 14, 2002)

Ok we are getting some feed back now from the files you sent earlier

any or some or all of these files will be involved as well 

where it says windows\system also look in windows\system32 
where no directory is mentioned try both windows\system & system32 folders

and make sure that all temp folders are emptied 

that means the username\local settings\temp
windows\temp
c:\temp 

C:\WINDOWS\SYSTEM\sample.exe
C:\WINDOWS\SYSTEM\woinst.exe
C:\WINDOWS\TEMP\TMPFILE.TMP
loader.exe
mfplay.exe
delspy.exe
authz.exe
taskmgn.exe
run_dos.dll
rnr.dll
winnet.dll


----------



## Mosaic1 (Aug 17, 2001)

In the directions I posted, the Cleanit folder has now been updated to remove more files as per new information just received.
So if you run it, be sure you have downloaded updatedCleanit.zip

Again this assumes that your BHO has not changed since last time. If it has, we'll have to start again.


----------



## elvinj (Feb 8, 2005)

rootkit log


----------



## dvk01 (Dec 14, 2002)

these are the only relevant ones here
C:\WINDOWS\system32\302.exe	2/23/2005 9:05 PM	14.50 KB	Hidden from Windows API.
C:\WINDOWS\system32\hdmga.dll	2/23/2005 10:13 PM	19.52 KB	Hidden from Windows API.
C:\WINDOWS\system32\msktf.dll	2/20/2005 10:40 PM	24.00 KB	Hidden from Windows API.
C:\WINDOWS\system32\opensdl.exe	2/23/2005 9:04 PM	4.20 KB	Hidden from Windows API.
C:\WINDOWS\system32\rdspclips.exe	2/23/2005 10:13 PM	31.00 KB	Hidden from Windows API.
C:\WINDOWS\system32\run_dos.dll	2/20/2005 2:27 PM	29.01 KB	Hidden from Windows API.
C:\WINDOWS\system32\sethcd.exe	2/23/2005 9:05 PM	47.00 KB	Hidden from Windows API.
C:\WINDOWS\system32\smbdins.exe	2/23/2005 9:05 PM	10.00 KB	Hidden from Windows API.
C:\WINDOWS\system32\sprestrst.exe	2/23/2005 9:04 PM	9.49 KB	Hidden from Windows API.
C:\WINDOWS\system32\sprmover.exe	2/23/2005 9:05 PM	3.13 KB	Hidden from Windows API.
C:\WINDOWS\system32\upncont.exe	2/23/2005 9:04 AM	46.00 KB	Hidden from Windows API.
C:\WINDOWS\system32\winwiz32.exe	2/23/2005 9:05 PM	35.50 KB	Hidden from Windows API.
C:\WINDOWS\system32\wowdbe.exe	2/23/2005 9:04 AM	32.50 KB	Hidden from Windows API.

and the one we don't know about already is 

C:\WINDOWS\system32\302.exe


----------



## dvk01 (Dec 14, 2002)

doing searches the 302.exe comes up in a few places as a dns changer so that is probably the one who is keeping the dns locked to the dodgy sites


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 12:59:14 AM, on 2/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## elvinj (Feb 8, 2005)

the following temp folder i found was empty. properties said it was created on the 12th of this month and that is around the time i started getting problems. i was wondering if it would matter if i deleted it.


here it is:


C:\Documents and Settings\Administrator\Local Settings\Temp\{0bedbd4e-2d34-47b5-9973-57e62b29307c}


----------



## dvk01 (Dec 14, 2002)

any folder that appears after this C:\Documents and Settings\Administrator\Local Settings\Temp can be & should be deleted


----------



## dvk01 (Dec 14, 2002)

However you might have problems actually deleting it and might have to wait for Mosaic to coem up with a script to kill it off when windows isn't running


----------



## elvinj (Feb 8, 2005)

windows/temp contains this file and i couldn't delete it. what is it? properties said it was
created about 1/2 hour when i did the fix. 


ZLT07007.TMP


----------



## elvinj (Feb 8, 2005)

i deleted all folders in C:\Documents and Settings\Administrator\Local Settings\Temp

now i guess i don't know where we are at. i don't think i understood post #80. the following files are in my system:

C:\WINDOWS\system32\hdmga.dll 2/23/2005 10:13 PM 19.52 KB Hidden from Windows API.
C:\WINDOWS\system32\opensdl.exe 2/23/2005 9:04 PM 4.20 KB Hidden from Windows API.


----------



## Mosaic1 (Aug 17, 2001)

I need another bho.txt and pv reports from both iexplorer and explorer just as you did them before. And time is of the essence, As you remain connected this thing is adding files and changing file names. I will change the file I created to try and remove this once more.

Did you run the updated fix I posted on that last page? If not, do not. But when I post another you have to use it in a timely fashion or none of this will work for sure, if at all.


----------



## elvinj (Feb 8, 2005)

you will have to send me instructions on how to get a new bho.txt. i clicked on the file Get Bho Hive.bat and nothing happened. i tried to read previos entries in this thread to remember how but this this is so long its like trying to find a needle in a haystack. i am leaving for work so i will disconnect from the internet and start again when i get home from a gig. this thing i thought was licked but maybe not. i got no popups overnight like i got before. hjt looked clean (but i am a novice at this stuff). he is a log:

Logfile of HijackThis v1.99.1
Scan saved at 1:54:33 PM, on 2/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## elvinj (Feb 8, 2005)

actually, you can just direct me the the post with bho instructions. thank you for all of your help!


----------



## Mosaic1 (Aug 17, 2001)

Use hijackthis to fix this entry:
O4 - HKLM\..\Run: [rdspclips.exe] rdspclips.exe
Then run hijackthis again and see if it is back or if there is anything replacing it.

Let me know.

Open the folder and delete bho.txt first. We need to get rid of the old one first. then double click on teh batch again. It will create a new bho.txt
Attach the bho.txt file to your next post.


----------



## elvinj (Feb 8, 2005)

nothing replacing the 04 but i cannot get a new bho text. i double clicked file called "get bho hiv.bat" and nothing was produced. as i said before, you might want to give me instructions on how to obtain bho text.. i do not know what i am doing.


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 3:30:45 AM, on 2/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\Program Files\BitLord\BitLord.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## Mosaic1 (Aug 17, 2001)

Right now, either this thing is totally invisible and not one running process is showing, or it is gone. I doubt it is gone.

I need to know, did you run the last updated instructions from this post?
http://forums.techguy.org/showthread.php?p=2385518

We need to keep more organized or this is going to quickly become impossible to work on. The fact that you cannot get a new bho.txt is of concern to me.

All you should do is to remove the current bho.txt
Double click on the bat file and wait a second or two. A new bho.txt should appear in that same folder.

So let's try it with a renamed file. Create a new Folder. Download the attachment and unzip the contents to that new folder.

The batch will be named inspect.bat

It will produce a file named look.txt
Attach look.txt to your next reply.


----------



## Mosaic1 (Aug 17, 2001)

Be sure to have at least one Internet Explorer Window open
Double click on runme.bat

Type 9 and press enter to bring up a new menu.

When that new menu comes up, type 4 and press enter to Enumerate a process.
When that finishes you will see a prompt Enter name of process to enumerate.

We want all processes. So you will type

**.** 
then press enter.
log.txt will open and is going to be very large. So when it has finished, close

log.txt
Right click on log.txt and choose Send To > Compressed

Attach the zipped log.txt into your next reply.


----------



## Mosaic1 (Aug 17, 2001)

Do exactly the same thing in Safe mode. Open an IE Window befroe you run the runme.bat and then when the text file opens, save it as Safe Mode.log

Zip SAfe mode.log and attach when you get back.

Also, in Safe mode get a new Hijackthis log please and post that when you next reply. 

Run the Rootkit detector in Safe Mode if it will allow that. REname the report it generates as Safe Mode Root detect.log and post that when you get back. 



Finally, run the rootkit detector once more after the restart back into Regular Windows mode and post that.

We need to have a look at all the information we can get at one time to try and get a picture of your situation. Don't forget to tell us if you had run the fix I asked about earlier. Thanks.


----------



## elvinj (Feb 8, 2005)

i followed instructions from post #75 and everything went smoothly. i have not had any problems since. anyhow, i downloaded inspect.bat, extracted to its own folder and double clicked it and still no text was produced. i also erased the old bho.text which was in its own folder with Get Bho Hive.bat and double clicked V and again no text was produced. i have yet to follow instruction from you last 2 posts as i have just returned from work. i stay connected all day and have had no issues yet so i am crossing my fingers. is there a good reason why i can't produce a text?


----------



## Mosaic1 (Aug 17, 2001)

Ok I wasn't sure if you had or not. This bothers me and is why I am asking for all these new reports. When things are invisible it is hard to say good. All done. You are clean. The only thing I can really think of as a reason for your not being able to produce a new bho.txt is the off chance that* reg.exe* is missing.

Have a look in your system32 folder and see if it's there.

And then if you could only do the reports I aksed for in regular windows mode and we'll see how they look. If there is any sign of infection, I'll ask for you to do the reports in Safe mode too. I really hope everything is OK!


----------



## elvinj (Feb 8, 2005)

here is log.zip (not safe mode)


----------



## Mosaic1 (Aug 17, 2001)

Thanks. Any luck finding reg.exe? If not, look in your service pack files and if it is there, copy it to System32.


----------



## elvinj (Feb 8, 2005)

while i was running rootkit avg detected a backdoor trojan. backdoor.iroffer.3 ar is the name. was found in c:\program files\winrar\default.sfx i just zipped that stuff you told me to so i was wondering if that was why.


----------



## Mosaic1 (Aug 17, 2001)

Let AVG clean it up. I am still reading the other log, It is huge. I'll be a while. In the meantime why don't you let AVG loose on your hard drive and see what else, if anything it picks up?


----------



## elvinj (Feb 8, 2005)

reg.exe was in system 32


----------



## elvinj (Feb 8, 2005)

and avg cleaned the backdoors in my winrar folder. where do you figure that came from? i wanted to send you the report from avg but it gets saved as excel and for some reason this website won't let me attach that file type. 
you have been such a great help. if you like electronic music then you should check out one of the bands i am in online @ www.7leagueboots.com there are free mp3s for download there. i play drums and program midi in reason for this band. anyway, back to business. let me know where you think we are at with this. again, aside from that last avg detection i have gone a record amount of hours without any activity since i got this thing early this month.


----------



## elvinj (Feb 8, 2005)

i just looked at my favorites in ie and there a bunch of crap i never put there (online gambling, dating, viagra, porn, anti-spyware). i use firefox so i guess i don't care but that shows there was possibly more malicious activity since the fix (i think i remember cleaning ie in the fix)


----------



## Mosaic1 (Aug 17, 2001)

I see, that's why you keep such long late hours. You're a musician. Thanks, I'll check it out this weekend.

While you are doing scans, do you have Trojan Hunter?

If not, get the trial version and update, then scan according to directions.
Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp 
http://www.pandasoftware.com/activescan/

Allow them to clean
----------------

Go here and get one of the free trials of an Anti Trojan and scan for Trojans. 
http://www.wilders.org/anti_trojans.htm
---------------------------------------

Favorites don't always get cleaned up. Who knows what else has happened? I just finished the regular windows mode log.txt and it looks clean.

I am going to continue reading.


----------



## Mosaic1 (Aug 17, 2001)

I am not a Zone Alarm User, but you should have a look to be sure it is ok and that nothing has interfered with the settings.


----------



## Mosaic1 (Aug 17, 2001)

I would fix this one:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

----------
Root Kit detectors look good. Safe Mode logs look good.

Ok for reg.exe

Let's get you a new copy and see if it works.

Do a file search for reg.exe
See where it turns up. If you find one in your Service pack files, copy it to system32 to replace the current copy. That one may be corrupt. 


May I see one more hijackthis log in regular mode while you are on the internet please?


----------



## Mosaic1 (Aug 17, 2001)

I did a google and ti is possible that the AVG on this file:
c:\program files\winrar\default.sfx

May have been a false positive.

We'll see what the other scans report. I know you are busy following all the instructions. We need to go over your system very carefully. But so far, it looks pretty good. 

I'll wait to hear how you did and to see your latest Hijackthis log.

And we'll be hearing from Derek too, I hope. He's great. We need as many eyes and as much experienced help from him.


----------



## elvinj (Feb 8, 2005)

found REG.EXE-0D2A95F7.pf in c\windows\prefetch, found reg.exe in system 32(of course) and also found it in C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989
created Wednesday, August 04, 2004, 1:56:55 AM
maybe from a windows update
also found comrereg.exe in C:\WINDOWS\system32\Com
should i copy the SoftwareDistribution\Download\etc one to sys. 32?


----------



## elvinj (Feb 8, 2005)

hold on for hjt log


----------



## elvinj (Feb 8, 2005)

cleaned Worm-P2P.SDDrop in trojanhunter


----------



## elvinj (Feb 8, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 9:57:21 PM, on 2/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitLord\BitLord.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Documents and Settings\Administrator\Desktop\shortcuts\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WUSB54Gv4] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)


----------



## Mosaic1 (Aug 17, 2001)

You know what? I just remembered you did the fix and that I had you open the registry and delete the bho key entirely. When I started asking for the hive exprt I didn't know whether or not you had run the fix. But youhave and all is looking good so far. Your reg.exe is fine. So of course there is no key to export as hive. Apologies. And I do have a copy of your good entries. Give me a minute to read your log and I'll get you your good entries to put back.


Find attached a zip. Extract the reg file and double click on it to enter into the registry. 

Check a new log to be sure the bho is there. It's the Spybot bho.


----------



## elvinj (Feb 8, 2005)

sweet


----------



## Mosaic1 (Aug 17, 2001)

I edited my last post and attached a file so you can put your Spybot BHO back.

Now, let's see about some other fun projects. LOL

Once you have completed all of the other steps and you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.

After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html


----------



## Mosaic1 (Aug 17, 2001)

As a matter for you own privacy, I would now recommend that you change all passwords you have stored on the computer. Any sensitive information, banking etc may have been compromised.


----------



## elvinj (Feb 8, 2005)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

this, right?


----------



## Mosaic1 (Aug 17, 2001)

Sure is.

I am going to sign off for the night. You did great. There may be some tag ends in the registry to look at later as a matter of housekeeping. We'll have to consult some other experts who are working on this too. For now it appears that you are in good shape. Get your security set as high as you can. 


Mo


----------



## elvinj (Feb 8, 2005)

i just followed the castlecops link and sp2 was mentioned. i was never able to get service pack 2 so how important would that be to get as far as staying secure is concerned. i don't know why but for the longest time i have not been getting windows updates. a windows icon would hang out in my sys tray claiming 0% complete. this has been a problem for as long as i can remember and obviously has nothing to do with my recent problem.


----------



## elvinj (Feb 8, 2005)

Thanks Mo!


----------



## Mosaic1 (Aug 17, 2001)

A lot of people with SP2 are limping in here as infected as ever. Some people do recommend it though. 

Have you tried going to Windows Update and scanning? I take it you've been relying on Auto updates. See if you can do that and if there is an error. You need ActiveX to do Windows Update. Go over there using IE.


----------

