 |  |  |  |  |  |  |  |
Hijacked! Log attached - please help!
Thread Solved |
•
•
Join Date: Apr 2004
Posts: 55
Reputation: 
Solved Threads: 0
Junior Poster in Training
Crunchie:
Did as instructed, though I did not see the 2 apps running in the task mamanger - rebooted in safe mode and deleted the files.
Attached are the two logs as well as a new HJT
Thank You Kind Sir
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "topconverting" 12/16/2004 11:03:07 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
"InstallDir"="C:\\Program Files\\TopConverting\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting\arkanoid]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
"C:\\Documents and Settings\\GavzyA\\Local Settings\\Temporary Internet Files\\Content.IE5\\SZCB27SJ\\XviD-04102002-1[1].exe"="XviD-04102002-1[1]"
"C:\\Program Files\\TopConverting\\arkanoid\\arkanoid.exe"="Tetris by Crazywinnings"
_____________________________________________________________
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "Crazywinnings" 12/16/2004 11:06:05 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"C:\\Documents and Settings\\GavzyA\\Local Settings\\Temporary Internet Files\\Content.IE5\\SZCB27SJ\\XviD-04102002-1[1].exe"="XviD-04102002-1[1]"
"C:\\Program Files\\TopConverting\\arkanoid\\arkanoid.exe"="Tetris by Crazywinnings"
__________________________________________________________
Logfile of HijackThis v1.98.2
Scan saved at 11:07:29 AM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/samet...RoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
Did as instructed, though I did not see the 2 apps running in the task mamanger - rebooted in safe mode and deleted the files.
Attached are the two logs as well as a new HJT
Thank You Kind Sir
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "topconverting" 12/16/2004 11:03:07 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
"InstallDir"="C:\\Program Files\\TopConverting\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting\arkanoid]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
"C:\\Documents and Settings\\GavzyA\\Local Settings\\Temporary Internet Files\\Content.IE5\\SZCB27SJ\\XviD-04102002-1[1].exe"="XviD-04102002-1[1]"
"C:\\Program Files\\TopConverting\\arkanoid\\arkanoid.exe"="Tetris by Crazywinnings"
_____________________________________________________________
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "Crazywinnings" 12/16/2004 11:06:05 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"C:\\Documents and Settings\\GavzyA\\Local Settings\\Temporary Internet Files\\Content.IE5\\SZCB27SJ\\XviD-04102002-1[1].exe"="XviD-04102002-1[1]"
"C:\\Program Files\\TopConverting\\arkanoid\\arkanoid.exe"="Tetris by Crazywinnings"
__________________________________________________________
Logfile of HijackThis v1.98.2
Scan saved at 11:07:29 AM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/samet...RoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
•
•
Join Date: Feb 2004
Posts: 10,050
Reputation: 
Solved Threads: 762
Always back up your registry before making any changes. The easiest way to do this is to select the entry that you are going to delete with your mouse and go to File and choose Export. Call it any name that you like (selected branch should be pre-selected) and then send it to a New Folder on your Desktop as a reg file. If you have no further problems, rightclick on the New Folder and delete it. Do NOT doubleclick on a .reg file unless you want to put it back in your Registry.
Open the registry and navigate to each of these and manually delete them by right clicking on them and selecting delete.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
"InstallDir"="C:\\Program Files\\TopConverting\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting\arkanoid]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
Reboot into safe mode following the instructions here and do following:
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
Reboot normally after doing the above, rescan with hijackthis, then post that log here please.
Open the registry and navigate to each of these and manually delete them by right clicking on them and selecting delete.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
"InstallDir"="C:\\Program Files\\TopConverting\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting\arkanoid]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
Reboot into safe mode following the instructions here and do following:
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
Reboot normally after doing the above, rescan with hijackthis, then post that log here please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Apr 2004
Posts: 55
Reputation:
Solved Threads: 0
Junior Poster in Training
Crunchie!From the log - it would seem that all has been fixed
PLease let me know if you see anything else
THanks!
ALso - WOuld like to do something approrpiate for the folks at DaniWeb.
Any ideas?
Logfile of HijackThis v1.98.2
Scan saved at 7:45:53 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/samet...RoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
•
•
Join Date: Feb 2004
Posts: 10,050
Reputation:
Solved Threads: 762
Looks like you may have done this log in safe mode? If so, just take a normal log and see if the unwanted entries are gone.
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
were the only baddies in your previous log.
What were you thinking??
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
were the only baddies in your previous log.
•
•
•
•
ALso - WOuld like to do something approrpiate for the folks at DaniWeb.
Any ideas?
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Apr 2004
Posts: 55
Reputation:
Solved Threads: 0
Junior Poster in Training
Crunchie -
Still seem to be getting pop-ups -
Have posted the latesd log
Pop up is : http://www.seeq.com/popupwrapper.jsp...om&direct=true
Have also posted latest log
You all have been very helpful and patient - not sure but would like to say "thanks" somehow, but not sure how as I don't have standard mail addresses or anything else - A contribution to a charity in the name of Daniweb? ANything
Anyway - here is latest log. Has a few 01 entries - not sure what these are:
Logfile of HijackThis v1.98.2
Scan saved at 9:35:31 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/samet...RoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
Still seem to be getting pop-ups -
Have posted the latesd log
Pop up is : http://www.seeq.com/popupwrapper.jsp...om&direct=true
Have also posted latest log
You all have been very helpful and patient - not sure but would like to say "thanks" somehow, but not sure how as I don't have standard mail addresses or anything else - A contribution to a charity in the name of Daniweb? ANything
Anyway - here is latest log. Has a few 01 entries - not sure what these are:
Logfile of HijackThis v1.98.2
Scan saved at 9:35:31 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/samet...RoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/game...ts/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
•
•
Join Date: Feb 2004
Posts: 10,050
Reputation:
Solved Threads: 762
You need to update hijackthis to version 1.99. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.
Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe
Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.
Download these two tools:
http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe
Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot because all the filenames will change otherwise.
Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe
Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.
Download these two tools:
http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe
Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot because all the filenames will change otherwise.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Apr 2004
Posts: 55
Reputation:
Solved Threads: 0
Junior Poster in Training
Crunchie:
New HJT installed and ready to go
Log file from VX2Finder:
Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown
User Agent String---
{4E1C22C6-2A06-45F9-9B68-0CC06C808101}
LOG FROMO DLL COMPARE:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\blfks.dll Fri Nov 19 2004 4:37:46a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\cgxsv.dll Fri Dec 10 2004 11:57:10p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\cqsync.dll Fri Dec 17 2004 7:38:30a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\dykquoui.dll Wed Dec 15 2004 5:43:24p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\fplo03~1.dll Wed Dec 15 2004 11:06:56a ..S.R 223,232 218.00 K
C:\WINDOWS\SYSTEM32\galhj.dll Sat Dec 11 2004 9:32:38p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\i460le~1.dll Fri Dec 17 2004 7:46:30a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\ibmpagnt.dll Thu Dec 16 2004 10:52:54a ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\ifq.dll Wed Dec 15 2004 8:31:14p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\ipso32.dll Wed Dec 15 2004 10:52:08a A.SH. 98,816 96.50 K
C:\WINDOWS\SYSTEM32\jumps.dll Thu Nov 18 2004 3:23:02p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\kydcz2.dll Wed Dec 15 2004 5:06:36p ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\ltnkinfo.dll Thu Dec 16 2004 10:41:02a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Fri Dec 17 2004 9:21:44a ..S.R 226,054 220.75 K
C:\WINDOWS\SYSTEM32\m4640e~1.dll Wed Dec 15 2004 11:25:50a ..S.R 224,359 219.10 K
C:\WINDOWS\SYSTEM32\mgrd3x40.dll Thu Dec 16 2004 11:01:00a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\mqrev43.dll Wed Dec 15 2004 7:55:08p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\muastmib.dll Fri Dec 17 2004 7:27:58a ..S.R 225,755 220.46 K
C:\WINDOWS\SYSTEM32\n44s0e~1.dll Wed Dec 15 2004 12:29:22p ..S.R 224,639 219.37 K
C:\WINDOWS\SYSTEM32\n4l80e~1.dll Wed Dec 15 2004 11:33:50a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\nitui0.dll Wed Dec 15 2004 8:20:44p ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\wynsta.dll Fri Dec 17 2004 9:21:44a ..S.R 225,755 220.46 K
C:\WINDOWS\SYSTEM32\zoxqf.dll Fri Nov 19 2004 11:40:22p A.SH. 56,320 55.00 K
________________________________________________
1,250 items found: 1,250 files (23 H/S), 0 directories.
Total of file sizes: 231,480,091 bytes 220.75 M
Administrator Account = True
--------------------End log---------------------
New HJT installed and ready to go
Log file from VX2Finder:
Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown
User Agent String---
{4E1C22C6-2A06-45F9-9B68-0CC06C808101}
LOG FROMO DLL COMPARE:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\blfks.dll Fri Nov 19 2004 4:37:46a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\cgxsv.dll Fri Dec 10 2004 11:57:10p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\cqsync.dll Fri Dec 17 2004 7:38:30a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\dykquoui.dll Wed Dec 15 2004 5:43:24p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\fplo03~1.dll Wed Dec 15 2004 11:06:56a ..S.R 223,232 218.00 K
C:\WINDOWS\SYSTEM32\galhj.dll Sat Dec 11 2004 9:32:38p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\i460le~1.dll Fri Dec 17 2004 7:46:30a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\ibmpagnt.dll Thu Dec 16 2004 10:52:54a ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\ifq.dll Wed Dec 15 2004 8:31:14p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\ipso32.dll Wed Dec 15 2004 10:52:08a A.SH. 98,816 96.50 K
C:\WINDOWS\SYSTEM32\jumps.dll Thu Nov 18 2004 3:23:02p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\kydcz2.dll Wed Dec 15 2004 5:06:36p ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\ltnkinfo.dll Thu Dec 16 2004 10:41:02a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Fri Dec 17 2004 9:21:44a ..S.R 226,054 220.75 K
C:\WINDOWS\SYSTEM32\m4640e~1.dll Wed Dec 15 2004 11:25:50a ..S.R 224,359 219.10 K
C:\WINDOWS\SYSTEM32\mgrd3x40.dll Thu Dec 16 2004 11:01:00a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\mqrev43.dll Wed Dec 15 2004 7:55:08p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\muastmib.dll Fri Dec 17 2004 7:27:58a ..S.R 225,755 220.46 K
C:\WINDOWS\SYSTEM32\n44s0e~1.dll Wed Dec 15 2004 12:29:22p ..S.R 224,639 219.37 K
C:\WINDOWS\SYSTEM32\n4l80e~1.dll Wed Dec 15 2004 11:33:50a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\nitui0.dll Wed Dec 15 2004 8:20:44p ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\wynsta.dll Fri Dec 17 2004 9:21:44a ..S.R 225,755 220.46 K
C:\WINDOWS\SYSTEM32\zoxqf.dll Fri Nov 19 2004 11:40:22p A.SH. 56,320 55.00 K
________________________________________________
1,250 items found: 1,250 files (23 H/S), 0 directories.
Total of file sizes: 231,480,091 bytes 220.75 M
Administrator Account = True
--------------------End log---------------------
•
•
Join Date: Feb 2004
Posts: 10,050
Reputation:
Solved Threads: 762
You got the latest VX2 infection 
. Stay offline whilst doing the following fix.
Go offline now.
Open the killbox. Paste in the line; C:\WINDOWS\SYSTEM32\blfks.dll
With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat this process until you reach the last line, when you will close all open programs and reboot your computer.
C:\WINDOWS\SYSTEM32\cgxsv.dll
C:\WINDOWS\SYSTEM32\cqsync.dll
C:\WINDOWS\SYSTEM32\dykquoui.dll
C:\WINDOWS\SYSTEM32\fplo03~1.dll
C:\WINDOWS\SYSTEM32\galhj.dll
C:\WINDOWS\SYSTEM32\i460le~1.dll
C:\WINDOWS\SYSTEM32\ibmpagnt.dll
C:\WINDOWS\SYSTEM32\ifq.dll
C:\WINDOWS\SYSTEM32\ipso32.dll
C:\WINDOWS\SYSTEM32\jumps.dll
C:\WINDOWS\SYSTEM32\kydcz2.dll
C:\WINDOWS\SYSTEM32\ltnkinfo.dll
C:\WINDOWS\SYSTEM32\lvr209~1.dll
C:\WINDOWS\SYSTEM32\m4640e~1.dll
C:\WINDOWS\SYSTEM32\mgrd3x40.dll
C:\WINDOWS\SYSTEM32\mqrev43.dll
C:\WINDOWS\SYSTEM32\muastmib.dll
C:\WINDOWS\SYSTEM32\n44s0e~1.dll
C:\WINDOWS\SYSTEM32\n4l80e~1.dll
C:\WINDOWS\SYSTEM32\nitui0.dll
C:\WINDOWS\SYSTEM32\wynsta.dll
C:\WINDOWS\SYSTEM32\zoxqf.dll
Add this one too; C:\Windows\System32\Guard.tmp
After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty. Post that log here.
. Stay offline whilst doing the following fix.Go offline now.
Open the killbox. Paste in the line; C:\WINDOWS\SYSTEM32\blfks.dll
With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat this process until you reach the last line, when you will close all open programs and reboot your computer.
C:\WINDOWS\SYSTEM32\cgxsv.dll
C:\WINDOWS\SYSTEM32\cqsync.dll
C:\WINDOWS\SYSTEM32\dykquoui.dll
C:\WINDOWS\SYSTEM32\fplo03~1.dll
C:\WINDOWS\SYSTEM32\galhj.dll
C:\WINDOWS\SYSTEM32\i460le~1.dll
C:\WINDOWS\SYSTEM32\ibmpagnt.dll
C:\WINDOWS\SYSTEM32\ifq.dll
C:\WINDOWS\SYSTEM32\ipso32.dll
C:\WINDOWS\SYSTEM32\jumps.dll
C:\WINDOWS\SYSTEM32\kydcz2.dll
C:\WINDOWS\SYSTEM32\ltnkinfo.dll
C:\WINDOWS\SYSTEM32\lvr209~1.dll
C:\WINDOWS\SYSTEM32\m4640e~1.dll
C:\WINDOWS\SYSTEM32\mgrd3x40.dll
C:\WINDOWS\SYSTEM32\mqrev43.dll
C:\WINDOWS\SYSTEM32\muastmib.dll
C:\WINDOWS\SYSTEM32\n44s0e~1.dll
C:\WINDOWS\SYSTEM32\n4l80e~1.dll
C:\WINDOWS\SYSTEM32\nitui0.dll
C:\WINDOWS\SYSTEM32\wynsta.dll
C:\WINDOWS\SYSTEM32\zoxqf.dll
Add this one too; C:\Windows\System32\Guard.tmp
After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty. Post that log here.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Apr 2004
Posts: 55
Reputation:
Solved Threads: 0
Junior Poster in Training
Crunchie:
Ran the DLLcompare the second time and it still showed the
C:\WINDOWS\SYSTEM32\ibmpagnt.dll
Ran it a third time, showed the above file and one other.
Ran the Kill and the compare again and it came up with the following - which I assume means that I'm fixed, but will wait for your confirmation!
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found"
________________________________________________
1,250 items found: 1,250 files, 0 directories.
Total of file sizes: 227,283,839 bytes 216.75 M
Administrator Account = True
--------------------End log---------------------
Again - my most sincere thanks - and my question still stands - without being able to send something to you/DMR/crapsie directly - how can I best thank you all for everything?:p
Ran the DLLcompare the second time and it still showed the
C:\WINDOWS\SYSTEM32\ibmpagnt.dll
Ran it a third time, showed the above file and one other.
Ran the Kill and the compare again and it came up with the following - which I assume means that I'm fixed, but will wait for your confirmation!
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"________________________________________________
1,250 items found: 1,250 files, 0 directories.
Total of file sizes: 227,283,839 bytes 216.75 M
Administrator Account = True
--------------------End log---------------------
Again - my most sincere thanks - and my question still stands - without being able to send something to you/DMR/crapsie directly - how can I best thank you all for everything?:p
•
•
Join Date: Apr 2004
Posts: 55
Reputation:
Solved Threads: 0
Junior Poster in Training
Crunchie:
Also just realized that I ran the DLLcompare against c:\windows\system32
Should it have been run against c:\windows?
I ran it there and got the following log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\hdguf.dll Sun Dec 12 2004 4:43:30a A.SH. 56,320 55.00 K
C:\WINDOWS\mfcpo.dll Fri Dec 3 2004 9:18:12p A.SH. 99,636 97.30 K
C:\WINDOWS\srove.dll Wed Nov 17 2004 11:57:40p A.SH. 56,320 55.00 K
C:\WINDOWS\trbuy.dll Fri Nov 12 2004 8:02:54p A.SH. 56,320 55.00 K
C:\WINDOWS\ypfjq.dll Tue Dec 14 2004 2:42:40a A.SH. 56,320 55.00 K
________________________________________________
3,494 items found: 3,494 files (5 H/S), 0 directories.
Total of file sizes: 688,863,702 bytes 656.95 M
Administrator Account = True
--------------------End log---------------------
Also just realized that I ran the DLLcompare against c:\windows\system32
Should it have been run against c:\windows?
I ran it there and got the following log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\hdguf.dll Sun Dec 12 2004 4:43:30a A.SH. 56,320 55.00 K
C:\WINDOWS\mfcpo.dll Fri Dec 3 2004 9:18:12p A.SH. 99,636 97.30 K
C:\WINDOWS\srove.dll Wed Nov 17 2004 11:57:40p A.SH. 56,320 55.00 K
C:\WINDOWS\trbuy.dll Fri Nov 12 2004 8:02:54p A.SH. 56,320 55.00 K
C:\WINDOWS\ypfjq.dll Tue Dec 14 2004 2:42:40a A.SH. 56,320 55.00 K
________________________________________________
3,494 items found: 3,494 files (5 H/S), 0 directories.
Total of file sizes: 688,863,702 bytes 656.95 M
Administrator Account = True
--------------------End log---------------------
 |
Similar Threads
- Hijacked - Log attached - Please Help! (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: HiJackThis log
- Next Thread: internet explorer error: winhot32.dll error...explorer will now close
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
