•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 401,659 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,647 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Views: 9112 | Replies: 70 | Solved
 |
•
•
Join Date: Nov 2004
Posts: 70
Reputation: 
Rep Power: 4
Solved Threads: 0
Junior Poster in Training
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINNTOLD\SYSTEM32\o048la~1.dll Wed Dec 29 2004 2:10:48p ..S.R 222,920 217.70 K
C:\WINNTOLD\SYSTEM32\uyimdmat.dll Wed Dec 29 2004 10:22:16p ..S.R 225,348 220.07 K
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll Wed Dec 15 2004 7:36:10p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll Wed Dec 22 2004 9:32:06a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll Mon Dec 20 2004 5:05:10p ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\hr8405~1.dll Wed Dec 22 2004 10:07:34a ..S.R 222,450 217.23 K
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll Thu Dec 23 2004 6:05:54p ..S.R 226,008 220.71 K
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll Tue Dec 28 2004 4:09:02p ..S.R 224,283 219.02 K
C:\WINNTOLD\SYSTEM32\n44s0e~1.dll Wed Dec 29 2004 2:28:18p ..S.R 225,103 219.82 K
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll Wed Dec 22 2004 9:41:58a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll Tue Dec 28 2004 4:41:16p ..S.R 224,701 219.43 K
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll Tue Dec 28 2004 6:36:14p ..S.R 225,600 220.31 K
C:\WINNTOLD\SYSTEM32\c2000c~1.dll Wed Dec 22 2004 10:29:36a ..S.R 225,982 220.68 K
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll Tue Dec 14 2004 9:36:48p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll Tue Dec 14 2004 5:31:56p ..S.R 224,826 219.55 K
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll Tue Dec 28 2004 7:22:46p ..S.R 225,035 219.76 K
C:\WINNTOLD\SYSTEM32\jtno07~1.dll Thu Dec 9 2004 8:10:58p ..S.R 223,589 218.35 K
C:\WINNTOLD\SYSTEM32\m0jula~1.dll Fri Dec 17 2004 5:45:14p ..S.R 225,655 220.36 K
C:\WINNTOLD\SYSTEM32\ir44l5~1.dll Wed Dec 29 2004 4:21:28p ..S.R 225,348 220.07 K
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll Wed Dec 15 2004 6:29:18p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll Wed Dec 15 2004 7:51:26a ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\dn6001~1.dll Mon Dec 20 2004 11:04:44a ..S.R 225,414 220.13 K
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll Sat Dec 18 2004 7:42:42p ..S.R 224,295 219.04 K
C:\WINNTOLD\SYSTEM32\enrul1~1.dll Wed Dec 29 2004 10:06:54p ..S.R 223,203 217.97 K
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll Tue Dec 28 2004 6:49:04p ..S.R 225,676 220.39 K
C:\WINNTOLD\SYSTEM32\k826li~1.dll Mon Dec 20 2004 12:38:14p ..S.R 223,022 217.79 K
C:\WINNTOLD\SYSTEM32\lvr209~1.dll Mon Dec 20 2004 1:07:14p ..S.R 226,279 220.97 K
C:\WINNTOLD\SYSTEM32\en88l1~1.dll Thu Dec 23 2004 8:47:22a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll Tue Dec 28 2004 7:03:28p ..S.R 223,226 217.99 K
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll Tue Dec 28 2004 7:36:08p ..S.R 226,006 220.71 K
C:\WINNTOLD\SYSTEM32\r48s0e~1.dll Wed Dec 29 2004 3:34:08p ..S.R 225,143 219.86 K
C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll Wed Dec 29 2004 9:49:46p ..S.R 226,086 220.79 K
C:\WINNTOLD\SYSTEM32\o0pqla~1.dll Wed Dec 29 2004 9:58:06p ..S.R 222,993 217.77 K
C:\WINNTOLD\SYSTEM32\m082la~1.dll Wed Dec 29 2004 10:22:14p ..S.R 222,848 217.63 K
________________________________________________
1,026 items found: 1,026 files (34 H/S), 0 directories.
Total of file sizes: 187,348,969 bytes 178.67 M
Administrator Account = True
--------------------End log---------------------
Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
User Agent String---
{2BE5D559-30E5-41F7-8335-5D07419E1634}
"Silent Runners.vbs", revision 28, launched at: 22:17
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSConfig" = "C:\WINNTOLD\msconfig.exe /auto" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
\StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [null data]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [null data]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\CFMCAT.DLL" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\ir44l5hq1.dll" [null data]
Enabled Scheduled Tasks:
------------------------
"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNTOLD\\system32\\ir44l5hq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
Here it is... Thanks again
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINNTOLD\SYSTEM32\o048la~1.dll Wed Dec 29 2004 2:10:48p ..S.R 222,920 217.70 K
C:\WINNTOLD\SYSTEM32\uyimdmat.dll Wed Dec 29 2004 10:22:16p ..S.R 225,348 220.07 K
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll Wed Dec 15 2004 7:36:10p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll Wed Dec 22 2004 9:32:06a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll Mon Dec 20 2004 5:05:10p ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\hr8405~1.dll Wed Dec 22 2004 10:07:34a ..S.R 222,450 217.23 K
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll Thu Dec 23 2004 6:05:54p ..S.R 226,008 220.71 K
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll Tue Dec 28 2004 4:09:02p ..S.R 224,283 219.02 K
C:\WINNTOLD\SYSTEM32\n44s0e~1.dll Wed Dec 29 2004 2:28:18p ..S.R 225,103 219.82 K
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll Wed Dec 22 2004 9:41:58a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll Tue Dec 28 2004 4:41:16p ..S.R 224,701 219.43 K
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll Tue Dec 28 2004 6:36:14p ..S.R 225,600 220.31 K
C:\WINNTOLD\SYSTEM32\c2000c~1.dll Wed Dec 22 2004 10:29:36a ..S.R 225,982 220.68 K
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll Tue Dec 14 2004 9:36:48p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll Tue Dec 14 2004 5:31:56p ..S.R 224,826 219.55 K
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll Tue Dec 28 2004 7:22:46p ..S.R 225,035 219.76 K
C:\WINNTOLD\SYSTEM32\jtno07~1.dll Thu Dec 9 2004 8:10:58p ..S.R 223,589 218.35 K
C:\WINNTOLD\SYSTEM32\m0jula~1.dll Fri Dec 17 2004 5:45:14p ..S.R 225,655 220.36 K
C:\WINNTOLD\SYSTEM32\ir44l5~1.dll Wed Dec 29 2004 4:21:28p ..S.R 225,348 220.07 K
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll Wed Dec 15 2004 6:29:18p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll Wed Dec 15 2004 7:51:26a ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\dn6001~1.dll Mon Dec 20 2004 11:04:44a ..S.R 225,414 220.13 K
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll Sat Dec 18 2004 7:42:42p ..S.R 224,295 219.04 K
C:\WINNTOLD\SYSTEM32\enrul1~1.dll Wed Dec 29 2004 10:06:54p ..S.R 223,203 217.97 K
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll Tue Dec 28 2004 6:49:04p ..S.R 225,676 220.39 K
C:\WINNTOLD\SYSTEM32\k826li~1.dll Mon Dec 20 2004 12:38:14p ..S.R 223,022 217.79 K
C:\WINNTOLD\SYSTEM32\lvr209~1.dll Mon Dec 20 2004 1:07:14p ..S.R 226,279 220.97 K
C:\WINNTOLD\SYSTEM32\en88l1~1.dll Thu Dec 23 2004 8:47:22a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll Tue Dec 28 2004 7:03:28p ..S.R 223,226 217.99 K
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll Tue Dec 28 2004 7:36:08p ..S.R 226,006 220.71 K
C:\WINNTOLD\SYSTEM32\r48s0e~1.dll Wed Dec 29 2004 3:34:08p ..S.R 225,143 219.86 K
C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll Wed Dec 29 2004 9:49:46p ..S.R 226,086 220.79 K
C:\WINNTOLD\SYSTEM32\o0pqla~1.dll Wed Dec 29 2004 9:58:06p ..S.R 222,993 217.77 K
C:\WINNTOLD\SYSTEM32\m082la~1.dll Wed Dec 29 2004 10:22:14p ..S.R 222,848 217.63 K
________________________________________________
1,026 items found: 1,026 files (34 H/S), 0 directories.
Total of file sizes: 187,348,969 bytes 178.67 M
Administrator Account = True
--------------------End log---------------------
Log for VX2.BetterInternet File Finder
Files Found---
Guardian Key--- is called:
User Agent String---
{2BE5D559-30E5-41F7-8335-5D07419E1634}
"Silent Runners.vbs", revision 28, launched at: 22:17
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSConfig" = "C:\WINNTOLD\msconfig.exe /auto" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
\StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [null data]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [null data]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\CFMCAT.DLL" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\ir44l5hq1.dll" [null data]
Enabled Scheduled Tasks:
------------------------
"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNTOLD\\system32\\ir44l5hq1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
Here it is... Thanks again
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,712
Reputation:
Rep Power: 22
Solved Threads: 420
Stay offline when doing the following fix.
Open killbox and paste in C:\WINNTOLD\SYSTEM32\o048la~1.dll
With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the above for each of these;
C:\WINNTOLD\SYSTEM32\uyimdmat.dll
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll
C:\WINNTOLD\SYSTEM32\hr8405~1.dll
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll
C:\WINNTOLD\SYSTEM32\n44s0e~1.dll
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll
C:\WINNTOLD\SYSTEM32\c2000c~1.dll
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll
C:\WINNTOLD\SYSTEM32\jtno07~1.dll
C:\WINNTOLD\SYSTEM32\m0jula~1.dll
C:\WINNTOLD\SYSTEM32\ir44l5~1.dll
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll
C:\WINNTOLD\SYSTEM32\dn6001~1.dll
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll
C:\WINNTOLD\SYSTEM32\enrul1~1.dll
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll
C:\WINNTOLD\SYSTEM32\k826li~1.dll
C:\WINNTOLD\SYSTEM32\lvr209~1.dll
C:\WINNTOLD\SYSTEM32\en88l1~1.dll
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll
C:\WINNTOLD\SYSTEM32\r48s0e~1.dll
C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll
C:\WINNTOLD\SYSTEM32\o0pqla~1.dll
C:\WINNTOLD\SYSTEM32\m082la~1.dll
C:\Windows\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
C:\WINNTOLD\system32\CFMCAT.DLL
On that last file, double check to make certain you have them all entered, close all programs and Reboot your computer.
Post another log from dllcompare please. Post another silent runners log too, please.
Open killbox and paste in C:\WINNTOLD\SYSTEM32\o048la~1.dll
With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the above for each of these;
C:\WINNTOLD\SYSTEM32\uyimdmat.dll
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll
C:\WINNTOLD\SYSTEM32\hr8405~1.dll
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll
C:\WINNTOLD\SYSTEM32\n44s0e~1.dll
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll
C:\WINNTOLD\SYSTEM32\c2000c~1.dll
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll
C:\WINNTOLD\SYSTEM32\jtno07~1.dll
C:\WINNTOLD\SYSTEM32\m0jula~1.dll
C:\WINNTOLD\SYSTEM32\ir44l5~1.dll
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll
C:\WINNTOLD\SYSTEM32\dn6001~1.dll
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll
C:\WINNTOLD\SYSTEM32\enrul1~1.dll
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll
C:\WINNTOLD\SYSTEM32\k826li~1.dll
C:\WINNTOLD\SYSTEM32\lvr209~1.dll
C:\WINNTOLD\SYSTEM32\en88l1~1.dll
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll
C:\WINNTOLD\SYSTEM32\r48s0e~1.dll
C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll
C:\WINNTOLD\SYSTEM32\o0pqla~1.dll
C:\WINNTOLD\SYSTEM32\m082la~1.dll
C:\Windows\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
C:\WINNTOLD\system32\CFMCAT.DLL
On that last file, double check to make certain you have them all entered, close all programs and Reboot your computer.
Post another log from dllcompare please. Post another silent runners log too, please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Nov 2004
Posts: 70
Reputation:
Rep Power: 4
Solved Threads: 0
Junior Poster in Training
•
•
•
•
Originally Posted by crunchie
Stay offline when doing the following fix.
Open killbox and paste in C:\WINNTOLD\SYSTEM32\o048la~1.dll
With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the above for each of these;
C:\WINNTOLD\SYSTEM32\uyimdmat.dll
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll
C:\WINNTOLD\SYSTEM32\hr8405~1.dll
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll
C:\WINNTOLD\SYSTEM32\n44s0e~1.dll
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll
C:\WINNTOLD\SYSTEM32\c2000c~1.dll
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll
C:\WINNTOLD\SYSTEM32\jtno07~1.dll
C:\WINNTOLD\SYSTEM32\m0jula~1.dll
C:\WINNTOLD\SYSTEM32\ir44l5~1.dll
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll
C:\WINNTOLD\SYSTEM32\dn6001~1.dll
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll
C:\WINNTOLD\SYSTEM32\enrul1~1.dll
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll
C:\WINNTOLD\SYSTEM32\k826li~1.dll
C:\WINNTOLD\SYSTEM32\lvr209~1.dll
C:\WINNTOLD\SYSTEM32\en88l1~1.dll
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll
C:\WINNTOLD\SYSTEM32\r48s0e~1.dll
C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll
C:\WINNTOLD\SYSTEM32\o0pqla~1.dll
C:\WINNTOLD\SYSTEM32\m082la~1.dll
C:\Windows\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
C:\WINNTOLD\system32\CFMCAT.DLL
On that last file, double check to make certain you have them all entered, close all programs and Reboot your computer.
Post another log from dllcompare please. Post another silent runners log too, please.
When you say on the last file double check to make cetain you have them all, how can I tell that they are all entered? Also was I supposed to click Use dummy for every one of them? (I did). Am rebooting now and will post another log. While in Killbox and killing the last entry when I hit restart I got a message that said "Pendingfilerenameoperations Registry Data has been removed by external process"
•
•
Join Date: Nov 2004
Posts: 70
Reputation:
Rep Power: 4
Solved Threads: 0
Junior Poster in Training
Do you think I also should have removed C:\WINNTOLD\system32\ir44l5hq1.dll and when you said C:\WINDOWS\system32\guard.temp did you mean C:\WINNTOLD\system32\guard.tmp ?
•
•
Join Date: Nov 2004
Posts: 70
Reputation:
Rep Power: 4
Solved Threads: 0
Junior Poster in Training
"Silent Runners.vbs", revision 28, launched at: 04:16
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSConfig" = "C:\WINNTOLD\msconfig.exe /auto" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
\StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [null data]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [null data]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]
Enabled Scheduled Tasks:
------------------------
"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"
________________________________________________
1,031 items found: 1,031 files, 0 directories.
Total of file sizes: 179,487,525 bytes 171.17 M
Administrator Account = True
--------------------End log---------------------
Looks like we are making progress but according to that Silentrunner log looks like alot of these buggers are still there? Shoild I try a normal kill with the killbox?
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSConfig" = "C:\WINNTOLD\msconfig.exe /auto" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
\StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [null data]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [null data]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]
Enabled Scheduled Tasks:
------------------------
"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"________________________________________________
1,031 items found: 1,031 files, 0 directories.
Total of file sizes: 179,487,525 bytes 171.17 M
Administrator Account = True
--------------------End log---------------------
Looks like we are making progress but according to that Silentrunner log looks like alot of these buggers are still there? Shoild I try a normal kill with the killbox?
•
•
Join Date: Nov 2004
Posts: 70
Reputation:
Rep Power: 4
Solved Threads: 0
Junior Poster in Training
When I tried to remove C:\WINNTOLD\system32\Guard.tmp with normal boot it would not allow it to be deleted. Should I try to remove these thing's that came back in Silentrunner in safe boot?
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,712
Reputation:
Rep Power: 22
Solved Threads: 420
•
•
•
•
Do you think I also should have removed C:\WINNTOLD\system32\ir44l5hq1.dll and when you said C:\WINDOWS\system32\guard.temp did you mean C:\WINNTOLD\system32\guard.tmp ?
No. The dll file will be had later. The second one was a typo error on my part
.Run killbox and select the Delete on reboot option.
In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\guard.tmp
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
Reboot only after the last entry.
Post another dllcompare log and a silent runners log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Nov 2004
Posts: 70
Reputation:
Rep Power: 4
Solved Threads: 0
Junior Poster in Training
Ok I booted into safe boot and tried to removed these files with killbox:
C:\WINNTOLD\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
I also ran Adaware's VX2 add on removal tool, but it never seems to finish running it just stalls at Status: System Clean as it does when booted normally.
I also removed all files from all temp folder's again.
Going to post a new Hijack log, Silent Runner, and Finddll to see where we stand now.
Scratch all that I just saw your reply.. Doing what you said now.
C:\WINNTOLD\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
I also ran Adaware's VX2 add on removal tool, but it never seems to finish running it just stalls at Status: System Clean as it does when booted normally.
I also removed all files from all temp folder's again.
Going to post a new Hijack log, Silent Runner, and Finddll to see where we stand now.
Scratch all that I just saw your reply.. Doing what you said now.
•
•
Join Date: Nov 2004
Posts: 70
Reputation:
Rep Power: 4
Solved Threads: 0
Junior Poster in Training
Logfile of HijackThis v1.99.0
Scan saved at 6:11:01 AM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\Documents and Settings\All Users.WINNTOLD\Start Menu\Programs\Startup\kuyttk.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\Documents and Settings\Thom\Desktop\DllCompare.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
"Silent Runners.vbs", revision 28, launched at: 06:05
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
\StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]
Enabled Scheduled Tasks:
------------------------
"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINNTOLD\SYSTEM32\j0n2la~1.dll Thu Dec 30 2004 4:04:50a ..S.R 225,348 220.07 K
________________________________________________
1,030 items found: 1,030 files (1 H/S), 0 directories.
Total of file sizes: 179,712,761 bytes 171.39 M
Administrator Account = True
--------------------End log---------------------
OK things are def running smoother for me and I think we may almost be there... I Hope.... I cannot thank you enough. So what do you think is next?
Oh and by the way everytime I boot the computer trojan remove find's the viyrrv.exe file and says it loads on startup in the registry, and says its a Adaware Qool.Aid trojan
It seems it's coming down to C:\WINNTOLD\system32\lzpwwl.exe and C:\WINNTOLD\system32\viyrrv.exe which don't want to seem to go away.... Is there something I have to edit/delete in my registry to clean these pups up?
Scan saved at 6:11:01 AM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\Documents and Settings\All Users.WINNTOLD\Start Menu\Programs\Startup\kuyttk.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\Documents and Settings\Thom\Desktop\DllCompare.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
"Silent Runners.vbs", revision 28, launched at: 06:05
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
\StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]
Enabled Scheduled Tasks:
------------------------
"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINNTOLD\SYSTEM32\j0n2la~1.dll Thu Dec 30 2004 4:04:50a ..S.R 225,348 220.07 K
________________________________________________
1,030 items found: 1,030 files (1 H/S), 0 directories.
Total of file sizes: 179,712,761 bytes 171.39 M
Administrator Account = True
--------------------End log---------------------
OK things are def running smoother for me and I think we may almost be there... I Hope.... I cannot thank you enough. So what do you think is next?
Oh and by the way everytime I boot the computer trojan remove find's the viyrrv.exe file and says it loads on startup in the registry, and says its a Adaware Qool.Aid trojan
It seems it's coming down to C:\WINNTOLD\system32\lzpwwl.exe and C:\WINNTOLD\system32\viyrrv.exe which don't want to seem to go away.... Is there something I have to edit/delete in my registry to clean these pups up?
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,712
Reputation:
Rep Power: 22
Solved Threads: 420
Stay offline when doing the following fix.
Open killbox and paste in C:\WINNTOLD\SYSTEM32\j0n2la~1.dll
With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the above for each of these;
C:\WINNTOLD\System32\Guard.tmp
On that last file, close all programs and Reboot your computer.
Post another log from dllcompare please.
Go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.
C:\log.txt,
C:\win.txt
C:\start.txt
Please do not attempt any other repairs. Also, do not reboot or switch off your PC unless I request it. I want to fix the VX2 infection first, then we can get on with what appears to be the qoologic trojan.
Open killbox and paste in C:\WINNTOLD\SYSTEM32\j0n2la~1.dll
With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.
Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)
Repeat the above for each of these;
C:\WINNTOLD\System32\Guard.tmp
On that last file, close all programs and Reboot your computer.
Post another log from dllcompare please.
Go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.
C:\log.txt,
C:\win.txt
C:\start.txt
Please do not attempt any other repairs. Also, do not reboot or switch off your PC unless I request it. I want to fix the VX2 infection first, then we can get on with what appears to be the qoologic trojan.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
- securitycaution.com (Viruses, Spyware and other Nasties)
- I have some big problems... (Viruses, Spyware and other Nasties)
- WINDOWS XP ANIMATION problems on IE (Web Browsers)
- Internet Explorer Running SLOW (Web Browsers)
- Problems on WinXP with Spyware/Adware, PopUps, etc. (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Windows XP Explorer Problems
- Next Thread: recycler on c:\ can't delete
