My Assistant
(Message will auto close in 2 seconds)
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help DO NOT post a ComboFix log unless requested to.
Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.
When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.
Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
|
Post
#1
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
Steve Logfile of HijackThis v1.99.0 Scan saved at 12:23:51 PM, on 1/27/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\msupd5.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLServiceHost.exe C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\explorer.exe C:\WINNT\System32\SCardSvr.exe C:\Program Files\AOL Communicator\ac_secdbm.exe C:\Program Files\AOL Communicator\ac_abook.exe C:\Program Files\AOL Communicator\ac_mail.exe C:\Program Files\AOL Communicator\ac_today.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Steve Herlocker\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - C:\WINNT\system32\ukzyvmut.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - C:\WINNT\system32\uftbexgi.dll O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - C:\WINNT\system32\hlvsvcyc.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103508301\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus USB.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE O4 - Global Startup: iniptu.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\dolsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe |
|
|
|
|
Post
#2
|
|
|
Cleaner on Duty Group: Malware Study Hall Senior Posts: 5,571 Joined: 1-September 04 From: Romania Member No.: 2,383 |
Please Download LSPFix from: LSP-Fix
Disconnect from the Internet and close all Internet Explorer windows. Run then program, check the "I know what I'm doing" button and place all listings of aklsp.dll dolsp.dll into the remove section by clicking on the button that points to the right. Do not remove any others. When all instances of this dll are in the Remove section. Press the Finish button. REBOOT your machine and post a new hijackthis log. To see a tutorial on how to use this program click the link below: Using LSP-Fix to remove LSP Spyware & Hijackers This post has been edited by Daisuke: Jan 28 2005, 02:16 PM -------------------- Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ? |
|
|
|
|
Post
#3
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
Okay did as you said.. Here's the new log...
Thanks Logfile of HijackThis v1.99.0 Scan saved at 2:08:44 PM, on 1/28/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\msupd5.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\gkgori.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLHOS~1.EXE C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLServiceHost.exe C:\Documents and Settings\Steve Herlocker\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - C:\WINNT\system32\ukzyvmut.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - C:\WINNT\system32\uftbexgi.dll O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - C:\WINNT\system32\hlvsvcyc.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103508301\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus USB.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe |
|
|
|
|
Post
#4
|
|
|
Cleaner on Duty Group: Malware Study Hall Senior Posts: 5,571 Joined: 1-September 04 From: Romania Member No.: 2,383 |
Hi
Make sure you are set to show hidden files and folders: A. On the Tools menu in Windows Explorer, click Folder Options. B. Click the View tab. C. Under Hidden files and folders, click Show hidden files and folders. D. Uncheck Hide extensions for known filetypes and Hide protected operating system files. How to see hidden files in Windows Please submit this file here: http://www.bleepingcomputer.com/submit-malware.php C:\WINNT\system32\msupd5.exe <-- this file Thanks Download Ad-aware SE 1.05: here Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items. Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet. Download System Security Suite here: System Security Suite Download & Tutorial. Unzip it to your desktop. Install the program. Don't use it yet. Please print or copy these instructions because you are not able to access the Internet in SafeMode. Make sure you are set to show hidden files and folders: A. On the Tools menu in Windows Explorer, click Folder Options. B. Click the View tab. C. Under Hidden files and folders, click Show hidden files and folders. D. Uncheck Hide extensions for known filetypes and Hide protected operating system files. How to see hidden files in Windows REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode Run HijackThis!, press Scan, and put a check mark next to all these: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - C:\WINNT\system32\ukzyvmut.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - C:\WINNT\system32\uftbexgi.dll O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - C:\WINNT\system32\hlvsvcyc.dll O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe Close all other windows and browsers, and press the Fix Checked button. Search for these files and delete them if present: C:\WINNT\system32\ukzyvmut.dll <-- this file C:\WINNT\system32\uftbexgi.dll <-- this file C:\WINNT\system32\hlvsvcyc.dll <-- this file C:\WINNT\system32\msupd5.exe <-- this file With all windows and browsers closed. Clean out temporary and Temporary Internet Files. A. Open System Security Suite. B. In the Items to Clear tab thick: - Internet Explorer (left pane): Cookies & Temporary files - My Computer (right pane): Temporary files & Recycle Bin Press the Clear Selected Items button. Close the program. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds. REBOOT normally. Run HijackThis! again and post a new log please. -------------------- Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ? |
|
|
|
|
Post
#5
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
Okay submitted the file and followed all steps. Adaware found Coolwebsearch and VX2. I keep getting these and I don't know where from??? Also when I click fix in adaware the"you are in safe mode" screen reloaded. Then in Adaware it said it must be ran at system startup to removea file but then didn't find any bad files at startup...
Anyways here's my new HijackThis log: Logfile of HijackThis v1.99.0 Scan saved at 2:40:19 PM, on 1/29/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLHOS~1.EXE C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iniptu.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLServiceHost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Steve Herlocker\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - (no file) O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - (no file) O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103508301\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus USB.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe |
|
|
|
|
Post
#6
|
|
|
Cleaner on Duty Group: Malware Study Hall Senior Posts: 5,571 Joined: 1-September 04 From: Romania Member No.: 2,383 |
Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options. B. Click the View tab. C. Under Hidden files and folders, click Show hidden files and folders. D. Uncheck Hide extensions for known filetypes and Hide protected operating system files. How to see hidden files in Windows Please submit also this file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iniptu.exe <-- this file REBOOT your computer and post a new log please. -------------------- Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ? |
|
|
|
|
Post
#7
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
There is no iniptu.exe in "c:\Documents and Settings\All Users\start Menu\Programs\Startup" I ran a windows search for iniptu and came up with the file name "iniptu.exeCommon Startup" (this is the actual file name) in c:\winnt\pss\.
Here's another log anyways. (no restart) Logfile of HijackThis v1.99.0 Scan saved at 5:17:52 PM, on 1/29/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLHOS~1.EXE C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iniptu.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLServiceHost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AOL Communicator\ac_secdbm.exe C:\Program Files\AOL Communicator\ac_abook.exe C:\WINNT\System32\SCardSvr.exe C:\Program Files\AOL Communicator\ac_mail.exe C:\Program Files\AOL Communicator\ac_today.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Steve Herlocker\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - (no file) O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - (no file) O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103508301\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus USB.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe |
|
|
|
|
Post
#8
|
|
|
Cleaner on Duty Group: Malware Study Hall Senior Posts: 5,571 Joined: 1-September 04 From: Romania Member No.: 2,383 |
Download KillBox here: KillBox. Unzip it to your desktop.
Copy and paste the following file to the field labeled "Full path of file to delete" C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iniptu.exe Press the Delete button (the button that looks like a red circle with a white X in it). A dialog box will ask if you want to backup & delete the file, press the YES button. Navigate to C:\!Submit and submit the file if it is there. Right click the folder and check if it contains a file. If the file is there but it is invisible, ZIP the folder and submit it please. REBOOT your machine and post a new log please. This post has been edited by Daisuke: Jan 29 2005, 08:35 PM -------------------- Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ? |
|
|
|
|
Post
#9
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
Ok used killbox, said successfully deleted but there was no file in c:\!submit .. Here's my new log
Logfile of HijackThis v1.99.0 Scan saved at 6:14:10 PM, on 1/29/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\gkgori.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLHOS~1.EXE C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLServiceHost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AOL Communicator\ac_secdbm.exe C:\Program Files\AOL Communicator\ac_abook.exe C:\WINNT\System32\SCardSvr.exe C:\Program Files\AOL Communicator\ac_mail.exe C:\Program Files\AOL Communicator\ac_today.exe C:\Documents and Settings\Steve Herlocker\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - (no file) O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - (no file) O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103508301\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus USB.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe |
|
|
|
|
Post
#10
|
|
|
Cleaner on Duty Group: Malware Study Hall Senior Posts: 5,571 Joined: 1-September 04 From: Romania Member No.: 2,383 |
Another file
Start Killbox.exe Select the Delete on reboot option. Copy and paste each of the following file(s) to the field labeled "Full path of file to delete" C:\WINNT\system32\gkgori.exe A dialog box will ask if you want to delete and reboot now, answer Yes Run HijackThis!, press Scan, and put a check mark next to all these: O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - (no file) O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - (no file) O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - (no file) Close all other windows and browsers, and press the Fix Checked button. Perform a full scan here: BitDefender Free Online Virus Scan Follow the instructions on the screen. Tick all the boxes on the left and let him remove anything it findes. REBOOT and post a new log. -------------------- Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ? |
|
|
|
|
Post
#11
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
Okay did as you asked but I'm not sure it worked... When I used HijackThis to remove the three files after hitting yes and then ok the window just goes to white like you haven't scanned yet. Upon restart and running again it does the same thing. Also not sure the virusscan worked completely either. Here is a log of the virusscan:
C:\WINNT\pss\iniptu.exeCommon Startup: infected with Trojan.Downloader.Qoologic.F C:\WINNT\pss\iniptu.exeCommon Startup: disinfection failed C:\WINNT\system32\aklsp.dll: infected with Trojan.Downloader.Agent.BR C:\WINNT\system32\aklsp.dll: deleted C:\WINNT\system32\dolsp.dll: infected with Trojan.Downloader.Agent.BR C:\WINNT\system32\dolsp.dll: disinfection failed C:\WINNT\system32\kvkyba.dat: infected with Trojan.Downloader.Qoologic.F C:\WINNT\system32\kvkyba.dat: disinfection failed C:\WINNT\system32\nanubo.dll: infected with Trojan.Downloader.Qoologic.F C:\WINNT\system32\nanubo.dll: disinfection failed C:\WINNT\system32\qpqzoy.dll: infected with Trojan.Downloader.Qoologic.D C:\WINNT\system32\qpqzoy.dll: deleted will restart now and post hijackthis log |
|
|
|
|
Post
#12
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
Logfile of HijackThis v1.99.0
Scan saved at 3:10:03 PM, on 1/30/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\gkgori.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLHOS~1.EXE c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLServiceHost.exe C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Steve Herlocker\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - (no file) O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - (no file) O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103508301\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus USB.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe |
|
|
|
|
Post
#13
|
|
|
Cleaner on Duty Group: Malware Study Hall Senior Posts: 5,571 Joined: 1-September 04 From: Romania Member No.: 2,383 |
Reboot into safemode and delete these files if still present:
C:\WINNT\pss\iniptu.exeCommon Startup <-- this file C:\WINNT\system32\dolsp.dll <-- this file C:\WINNT\system32\kvkyba.dat <-- this file C:\WINNT\system32\nanubo.dll <-- this file C:\WINNT\system32\gkgori.exe <-- this file It is strongly recommended that you back up the registry before making any changes to it. Backing up the Windows registry Go to Start --> Run, and type regedit in the Open box, then click OK Navigate to this key and delete it: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0578868D-ED8E-2CD1-B92D-7F371FA45FF6} <-- this key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D4E3156-FB14-9E93-8EFB-97DE277363FF} <-- this key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69B9DDC-810A-7D63-7F5E-04F3D4796C07} <-- this key Download Find It NT-2K-XP.zip. Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit Navigate to the c:\findit folder and double-click on find.bat. A command prompt will open and it will search your computer for malicious files. Let it finish. It could take 5 - 10 minutes. Once it has finished a Notepad window will pop up with output.txt. Copy the entire contents of output.txt into your next post. Post also a new hijackthis log. -------------------- Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ? |
|
|
|
|
Post
#14
|
|
|
Member Group: Members Posts: 16 Joined: 27-January 05 Member No.: 10,692 |
Ok...mixed results again. Upon trying to delete the files in safemode I had varied success. Windows wouldn't let me delete naubo.dll "file is being used by windows" So I restarted into safemode with command prompt. Under the command prompt I believe I deleted nanubo.dll and gkgori.exe. The initial search for gkgori.exe resulted in nothing the first time by the way but when I typed del gkgori.exe in the command prompt it worked...
Also under both circumstances rededit would not let me delete any of the three keys. The windows error message was along the lines of "error cannot delete key. error while deleting key" Here is my output.txt log from findit Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\Documents and Settings\Steve Herlocker\Desktop\Find It NT-2K-XP\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 2C93-6246 Directory of C:\WINNT\System32 01/18/2005 11:18a <DIR> dllcache 0 File(s) 0 bytes 1 Dir(s) 103,840,751,616 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 2C93-6246 Directory of C:\WINNT\System32 01/18/2005 11:18a <DIR> dllcache 12/19/2004 05:19p <DIR> GroupPolicy 0 File(s) 0 bytes 2 Dir(s) 103,840,751,616 bytes free ------------ Files Named "Guard" --------------- Volume in drive C has no label. Volume Serial Number is 2C93-6246 Directory of C:\WINNT\System32 ------ Temp Files in System32 Directory ------ Volume in drive C has no label. Volume Serial Number is 2C93-6246 Directory of C:\WINNT\System32 12/07/1999 04:00a 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 103,840,751,616 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{41BA94DA-0BB1-45DC-AA8C-BE200193B36C}"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\j06mlaj11do.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ------------- Locate.com Results ------------- No matches found. -------- Strings.exe Qoologic Results -------- C:\WINNT\system32\aqamwz.exe: updates.qoologic.com C:\WINNT\system32\nanubo.dll: updates.qoologic.com C:\WINNT\system32\qpqzoy.dll: updates.qoologic.com --------- Strings.exe Aspack Results --------- C:\WINNT\system32\gkgori.exe: .aspack C:\WINNT\system32\kvkyba.dat: .aspack C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\iniptu.exe: .aspack -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe /logon" "SoundMan"="SOUNDMAN.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "HostManager"="C:\\Program Files\\Common Files\\AOL\\1103508301\\EE\\AOLHostManager.exe" "AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe" "AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\"" "VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask" "VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\"" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe" "MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "Narrator"="C:\\WINNT\\system32\\gkgori.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" And my HijackThis log: Logfile of HijackThis v1.99.0 Scan saved at 4:59:19 PM, on 1/30/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINNT\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINNT\system32\ctfmon.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLHOS~1.EXE C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iniptu.exe C:\PROGRA~1\COMMON~1\AOL\110350~1\EE\AOLServiceHost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AOL Communicator\ac_secdbm.exe C:\Program Files\AOL Communicator\ac_abook.exe C:\WINNT\System32\SCardSvr.exe C:\Program Files\AOL Communicator\ac_mail.exe C:\Program Files\AOL Communicator\ac_today.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Steve Herlocker\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online O2 - BHO: (no name) - {0578868D-ED8E-2CD1-B92D-7F371FA45FF6} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8D4E3156-FB14-9E93-8EFB-97DE277363FF} - (no file) O2 - BHO: (no name) - {B69B9DDC-810A-7D63-7F5E-04F3D4796C07} - (no file) O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103508301\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: D-Link AirPlus USB.lnk = C:\Program Files\AIRPLUS\D-Link AirPlus DWL-120+ Wireless USB Adapter\AIRPLUS.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe Thanks |
|
|
|
|
Post
#15
|
|
|
Cleaner on Duty Group: Malware Study Hall Senior Posts: 5,571 Joined: 1-September 04 From: Romania Member No.: 2,383 |
Please make sure you follow my instructions carefully.
Download KillBox here: KillBox. Unzip it to your desktop. Select the Delete on reboot option. Copy and paste the following file to the field labeled "Full path of file to delete" C:\WINNT\system32\aqamwz.exe Press the Delete button (the button that looks like a red circle with a white X in it). A first dialog box will ask if you want to delete the file on reboot, press the YES button. A second dialog box will ask you if you want to REBOOT now. Press the NO button. Repeat steps above for these files: C:\WINNT\system32\nanubo.dll C:\WINNT\system32\qpqzoy.dll C:\WINNT\system32\gkgori.exe C:\WINNT\system32\kvkyba.dat Copy and paste the following file to the field labeled "Full path of file to delete" C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\iniptu.exe Press the Delete button (the button that looks like a red circle with a white X in it). A first dialog box will ask if you want to delete the file on reboot, press the YES button. A second dialog box will ask you if you want to REBOOT now. Press the YES button. Your computer will reboot. Run hijackthis and find.bat again and post the logs. -------------------- Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ? |
|
|
|
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 23rd April 2010 - 10:29 PM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.