0
  • DLLCompare Log version(1.0.0.127)
    Files Found that Windows does not See or cannot Access
    *Not everything listed here means you are infected!
    ________________________________________________

    C:\WINNTOLD\SYSTEM32\o048la~1.dll Wed Dec 29 2004 2:10:48p ..S.R 222,920 217.70 K
    C:\WINNTOLD\SYSTEM32\uyimdmat.dll Wed Dec 29 2004 10:22:16p ..S.R 225,348 220.07 K
    C:\WINNTOLD\SYSTEM32\irlsl5~1.dll Wed Dec 15 2004 7:36:10p ..S.R 223,745 218.50 K
    C:\WINNTOLD\SYSTEM32\jtjm07~1.dll Wed Dec 22 2004 9:32:06a ..S.R 225,980 220.68 K
    C:\WINNTOLD\SYSTEM32\j8j60i~1.dll Mon Dec 20 2004 5:05:10p ..S.R 225,980 220.68 K
    C:\WINNTOLD\SYSTEM32\hr8405~1.dll Wed Dec 22 2004 10:07:34a ..S.R 222,450 217.23 K
    C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll Thu Dec 23 2004 6:05:54p ..S.R 226,008 220.71 K
    C:\WINNTOLD\SYSTEM32\r6r60g~1.dll Tue Dec 28 2004 4:09:02p ..S.R 224,283 219.02 K
    C:\WINNTOLD\SYSTEM32\n44s0e~1.dll Wed Dec 29 2004 2:28:18p ..S.R 225,103 219.82 K
    C:\WINNTOLD\SYSTEM32\j0j6la~1.dll Wed Dec 22 2004 9:41:58a ..S.R 225,980 220.68 K
    C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll Tue Dec 28 2004 4:41:16p ..S.R 224,701 219.43 K
    C:\WINNTOLD\SYSTEM32\lvpq09~1.dll Tue Dec 28 2004 6:36:14p ..S.R 225,600 220.31 K
    C:\WINNTOLD\SYSTEM32\c2000c~1.dll Wed Dec 22 2004 10:29:36a ..S.R 225,982 220.68 K
    C:\WINNTOLD\SYSTEM32\k4jsle~1.dll Tue Dec 14 2004 9:36:48p ..S.R 223,745 218.50 K
    C:\WINNTOLD\SYSTEM32\l4n4le~1.dll Tue Dec 14 2004 5:31:56p ..S.R 224,826 219.55 K
    C:\WINNTOLD\SYSTEM32\fp2m03~1.dll Tue Dec 28 2004 7:22:46p ..S.R 225,035 219.76 K
    C:\WINNTOLD\SYSTEM32\jtno07~1.dll Thu Dec 9 2004 8:10:58p ..S.R 223,589 218.35 K
    C:\WINNTOLD\SYSTEM32\m0jula~1.dll Fri Dec 17 2004 5:45:14p ..S.R 225,655 220.36 K
    C:\WINNTOLD\SYSTEM32\ir44l5~1.dll Wed Dec 29 2004 4:21:28p ..S.R 225,348 220.07 K
    C:\WINNTOLD\SYSTEM32\irr8l5~1.dll Wed Dec 15 2004 6:29:18p ..S.R 223,745 218.50 K
    C:\WINNTOLD\SYSTEM32\j4p0le~1.dll Wed Dec 15 2004 7:51:26a ..S.R 223,745 218.50 K
    C:\WINNTOLD\SYSTEM32\dn6001~1.dll Mon Dec 20 2004 11:04:44a ..S.R 225,414 220.13 K
    C:\WINNTOLD\SYSTEM32\jt6m07~1.dll Sat Dec 18 2004 7:42:42p ..S.R 224,295 219.04 K
    C:\WINNTOLD\SYSTEM32\enrul1~1.dll Wed Dec 29 2004 10:06:54p ..S.R 223,203 217.97 K
    C:\WINNTOLD\SYSTEM32\p46s0e~1.dll Tue Dec 28 2004 6:49:04p ..S.R 225,676 220.39 K
    C:\WINNTOLD\SYSTEM32\k826li~1.dll Mon Dec 20 2004 12:38:14p ..S.R 223,022 217.79 K
    C:\WINNTOLD\SYSTEM32\lvr209~1.dll Mon Dec 20 2004 1:07:14p ..S.R 226,279 220.97 K
    C:\WINNTOLD\SYSTEM32\en88l1~1.dll Thu Dec 23 2004 8:47:22a ..S.R 225,980 220.68 K
    C:\WINNTOLD\SYSTEM32\f6l02g~1.dll Tue Dec 28 2004 7:03:28p ..S.R 223,226 217.99 K
    C:\WINNTOLD\SYSTEM32\l4r0le~1.dll Tue Dec 28 2004 7:36:08p ..S.R 226,006 220.71 K
    C:\WINNTOLD\SYSTEM32\r48s0e~1.dll Wed Dec 29 2004 3:34:08p ..S.R 225,143 219.86 K
    C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll Wed Dec 29 2004 9:49:46p ..S.R 226,086 220.79 K
    C:\WINNTOLD\SYSTEM32\o0pqla~1.dll Wed Dec 29 2004 9:58:06p ..S.R 222,993 217.77 K
    C:\WINNTOLD\SYSTEM32\m082la~1.dll Wed Dec 29 2004 10:22:14p ..S.R 222,848 217.63 K
    ________________________________________________

    1,026 items found: 1,026 files (34 H/S), 0 directories.
    Total of file sizes: 187,348,969 bytes 178.67 M

    Administrator Account = True

    --------------------End log---------------------

    Log for VX2.BetterInternet File Finder

    Files Found---

    Guardian Key--- is called:

    User Agent String---
    {2BE5D559-30E5-41F7-8335-5D07419E1634}

    "Silent Runners.vbs", revision 28, launched at: 22:17
    Output limited to non-default values, except where indicated by "{++}"
    Operating System: Windows 2000

    Startup items buried in registry:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MSConfig" = "C:\WINNTOLD\msconfig.exe /auto" [MS]
    "Synchronization Manager" = "mobsync.exe /logon" [MS]
    "TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
    "Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]

    HKLM\Software\Microsoft\Active Setup\Installed Components\
    "9c5f97f3-d620-4ecb-88f2-d6772da2e0df(Default)" = ""
    \StubPath = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
    -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
    "{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
    -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [null data]
    "{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
    -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
    "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
    -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
    "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
    -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
    -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
    -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
    -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
    -> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
    "{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
    -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
    "{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
    -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [null data]
    "{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
    -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\CFMCAT.DLL" [null data]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\ir44l5hq1.dll" [null data]

    Enabled Scheduled Tasks:

    "avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
    "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
    "Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

    Running Services (Display Name, Service Name, Path {Service DLL}):

    ----------
    This report excludes default entries except where indicated.
    To see everywhere the script checks and everything it finds,
    launch it from a command prompt or a shortcut with the -all parameter.

    ----------

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
    6c,00,00,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
    6c,00,6c,00,00,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
    6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap]
    "Asynchronous"=dword:00000000
    "DllName"="C:\WINNTOLD\system32\ir44l5hq1.dll"
    "Impersonate"=dword:00000000
    "Logon"="WinLogon"
    "Logoff"="WinLogoff"
    "Shutdown"="WinShutdown"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
    "DLLName"="wzcdlg.dll"
    "Logon"="WZCEventLogon"
    "Logoff"="WZCEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000000

Here it is... Thanks again

Edited by Reverend Jim: Fixed formatting

0

Stay offline when doing the following fix.

Open killbox and paste in C:\WINNTOLD\SYSTEM32\o048la~1.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINNTOLD\SYSTEM32\uyimdmat.dll
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll
C:\WINNTOLD\SYSTEM32\hr8405~1.dll
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll
C:\WINNTOLD\SYSTEM32\n44s0e~1.dll
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll
C:\WINNTOLD\SYSTEM32\c2000c~1.dll
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll
C:\WINNTOLD\SYSTEM32\jtno07~1.dll
C:\WINNTOLD\SYSTEM32\m0jula~1.dll
C:\WINNTOLD\SYSTEM32\ir44l5~1.dll
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll
C:\WINNTOLD\SYSTEM32\dn6001~1.dll
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll
C:\WINNTOLD\SYSTEM32\enrul1~1.dll
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll
C:\WINNTOLD\SYSTEM32\k826li~1.dll
C:\WINNTOLD\SYSTEM32\lvr209~1.dll
C:\WINNTOLD\SYSTEM32\en88l1~1.dll
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll
C:\WINNTOLD\SYSTEM32\r48s0e~1.dll
C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll
C:\WINNTOLD\SYSTEM32\o0pqla~1.dll
C:\WINNTOLD\SYSTEM32\m082la~1.dll
C:\Windows\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
C:\WINNTOLD\system32\CFMCAT.DLL

On that last file, double check to make certain you have them all entered, close all programs and Reboot your computer.

Post another log from dllcompare please. Post another silent runners log too, please.

0

Stay offline when doing the following fix.

Open killbox and paste in C:\WINNTOLD\SYSTEM32\o048la~1.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;

C:\WINNTOLD\SYSTEM32\uyimdmat.dll
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll
C:\WINNTOLD\SYSTEM32\hr8405~1.dll
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll
C:\WINNTOLD\SYSTEM32\n44s0e~1.dll
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll
C:\WINNTOLD\SYSTEM32\c2000c~1.dll
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll
C:\WINNTOLD\SYSTEM32\jtno07~1.dll
C:\WINNTOLD\SYSTEM32\m0jula~1.dll
C:\WINNTOLD\SYSTEM32\ir44l5~1.dll
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll
C:\WINNTOLD\SYSTEM32\dn6001~1.dll
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll
C:\WINNTOLD\SYSTEM32\enrul1~1.dll
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll
C:\WINNTOLD\SYSTEM32\k826li~1.dll
C:\WINNTOLD\SYSTEM32\lvr209~1.dll
C:\WINNTOLD\SYSTEM32\en88l1~1.dll
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll
C:\WINNTOLD\SYSTEM32\r48s0e~1.dll
C:\WINNTOLD\SYSTEM32\m8ls0i~1.dll
C:\WINNTOLD\SYSTEM32\o0pqla~1.dll
C:\WINNTOLD\SYSTEM32\m082la~1.dll
C:\Windows\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll
C:\WINNTOLD\system32\CFMCAT.DLL

On that last file, double check to make certain you have them all entered, close all programs and Reboot your computer.

Post another log from dllcompare please. Post another silent runners log too, please.

When you say on the last file double check to make cetain you have them all, how can I tell that they are all entered? Also was I supposed to click Use dummy for every one of them? (I did). Am rebooting now and will post another log. While in Killbox and killing the last entry when I hit restart I got a message that said "Pendingfilerenameoperations Registry Data has been removed by external process"

0

Do you think I also should have removed C:\WINNTOLD\system32\ir44l5hq1.dll and when you said C:\WINDOWS\system32\guard.temp did you mean C:\WINNTOLD\system32\guard.tmp ?

0

"Silent Runners.vbs", revision 28, launched at: 04:16
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSConfig" = "C:\WINNTOLD\msconfig.exe /auto" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
                                     \StubPath   = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [null data]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
  -> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [null data]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------



----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,031 items found:  1,031 files, 0 directories.
Total of file sizes:  179,487,525 bytes    171.17 M

Administrator Account =  True

--------------------End log---------------------

Looks like we are making progress but according to that Silentrunner log looks like alot of these buggers are still there? Shoild I try a normal kill with the killbox?

Edited by Reverend Jim: Fixed formatting

0

When I tried to remove C:\WINNTOLD\system32\Guard.tmp with normal boot it would not allow it to be deleted. Should I try to remove these thing's that came back in Silentrunner in safe boot?

0

Do you think I also should have removed C:\WINNTOLD\system32\ir44l5hq1.dll and when you said C:\WINDOWS\system32\guard.temp did you mean C:\WINNTOLD\system32\guard.tmp ?

No. The dll file will be had later. The second one was a typo error on my part :(.

Run killbox and select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\guard.tmp
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll

Reboot only after the last entry.

Post another dllcompare log and a silent runners log please.

0

Ok I booted into safe boot and tried to removed these files with killbox:

C:\WINNTOLD\System32\Guard.tmp
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\lzpwwl.exe
C:\WINNTOLD\system32\su3res.dll
C:\WINNTOLD\system32\pjrfos.dll

I also ran Adaware's VX2 add on removal tool, but it never seems to finish running it just stalls at Status: System Clean as it does when booted normally.

I also removed all files from all temp folder's again.

Going to post a new Hijack log, Silent Runner, and Finddll to see where we stand now.

Scratch all that I just saw your reply.. Doing what you said now.

0

Logfile of HijackThis v1.99.0
Scan saved at 6:11:01 AM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\Documents and Settings\All Users.WINNTOLD\Start Menu\Programs\Startup\kuyttk.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\Documents and Settings\Thom\Desktop\DllCompare.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe


"Silent Runners.vbs", revision 28, launched at: 06:05
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]
"Narrator" = "C:\WINNTOLD\system32\viyrrv.exe" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
"9c5f97f3-d620-4ecb-88f2-d6772da2e0df\(Default)" = ""
                                     \StubPath   = "C:\WINNTOLD\system32\lzpwwl.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" ["Hilgraeve, Inc."]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
  -> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
  -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
  -> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------



----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNTOLD\SYSTEM32\j0n2la~1.dll   Thu Dec 30 2004   4:04:50a  ..S.R        225,348   220.07 K
________________________________________________

1,030 items found:  1,030 files (1 H/S), 0 directories.
Total of file sizes:  179,712,761 bytes    171.39 M

Administrator Account =  True

--------------------End log---------------------

OK things are def running smoother for me and I think we may almost be there... I Hope.... I cannot thank you enough. So what do you think is next?

Oh and by the way everytime I boot the computer trojan remove find's the viyrrv.exe file and says it loads on startup in the registry, and says its a Adaware Qool.Aid trojan

It seems it's coming down to C:\WINNTOLD\system32\lzpwwl.exe and C:\WINNTOLD\system32\viyrrv.exe which don't want to seem to go away.... Is there something I have to edit/delete in my registry to clean these pups up?

Edited by Reverend Jim: Fixed formatting

0

Stay offline when doing the following fix.

Open killbox and paste in C:\WINNTOLD\SYSTEM32\j0n2la~1.dll

With the full path to the file name in the topmost textbox, click the option *replace on reboot* and *Use Dummy* which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat the above for each of these;


C:\WINNTOLD\System32\Guard.tmp

On that last file, close all programs and Reboot your computer.

Post another log from dllcompare please.

Go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt,
C:\win.txt
C:\start.txt

Please do not attempt any other repairs. Also, do not reboot or switch off your PC unless I request it. I want to fix the VX2 infection first, then we can get on with what appears to be the qoologic trojan.

0

.l* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,030 items found: 1,030 files, 0 directories.
Total of file sizes: 179,465,749 bytes 171.15 M

Administrator Account = True

--------------------End log---------------------

When I run Qoologic I get (3) The system cannot find the file specified followed by a Checking system folder.... Please wait , which never seems to finish just as Findit did not finish... Whilst it was running I checked the C:\ drive and opened win.txt and it has

C:\WINNTOLD\system32\lygool.dll
C:\WINNTOLD\system32\iozbbi.dll
C:\WINNTOLD\system32\lzpwwl.ex$ (which I think Trojan remover renamed it .ex$)
C:\WINNTOLD\system32\lzpwwl.exe

These are all followed by updates.qoologic.com

I am going to continue running to see if I can get result's from the start.txt and log.txt......

0

When I run Qoologic I get (3) The system cannot find the file specified followed by a Checking system folder.... Please wait , which never seems to finish just as Findit did not finish... Whilst it was running I checked the C:\ drive and opened win.txt and it has:

C:\WINNTOLD\system32\lygool.dll updates.qoologic.com
C:\WINNTOLD\system32\iozbbi.dll updates.qoologic.com
C:\WINNTOLD\system32\lzpwwl.ex$ updates.qoologic.com (which I think Trojan remover renamed it .ex$)
C:\WINNTOLD\system32\lzpwwl.exe updates.qoologic.com
C:\WINNTOLD\system32\viyrre.exe .aspack
C:\WINNTOLD\system32\waqbbw.dat .aspack
C:\WINNTOLD\system32\trjscan.trb .aspack
C:\WINNTOLD\system32\trupd.trb .aspack
C:\WINNTOLD\system32\vyrbv.txt.exe .aspack
C:\WINNTOLD\system32\installer.exe .aspack


I am going to continue running to see if I can get result's from the start.txt and log.txt.....

0

Something interesting I found in my C:\ drive is a !Submit folder with 6 Dll's and the dreaded viyrrv.exe

Should I remove this folder?

0

Ok I think i made some more progress as this time when I ran killbox I killed the viyrrv.exe process first and also deleted entry's in hijack and then rebooted my logs seem to have came back semi clean this time. Now I don't know if they are going to come back now from browsing the web but here they are.

Logfile of HijackThis v1.99.0
Scan saved at 5:47:53 PM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\WINNTOLD\system32\NOTEPAD.EXE
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,030 items found: 1,030 files, 0 directories.
Total of file sizes: 179,435,653 bytes 171.12 M

Administrator Account = True

--------------------End log---------------------


Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{2BE5D559-30E5-41F7-8335-5D07419E1634}

"Silent Runners.vbs", revision 28, launched at: 17:37
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" [null data]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

0

I ran housecalls online virus scan and it found these things:

TROJ AGENT.CAC in C:\WINNTOLD\system32\calsp.dll
TROJ NARRATOR.A in C:\WINNTOLD\system32\lzpwwl.exe

It let me delete these two files but we all know that probably doesnt mean much...

I am going to try and kill those two string's with killbox and see what happens.

Do you think it's time for me to run Adaware and Spybot yet?

Btw... I THINK I am really close to slaying this beast as the computer is running MUCH faster and I don't think I am getting any more pop up's and the icons that used to keep reappearing on the desktop no longer appear. Also I am no longer getting that annoying winlogon.exe needs to restart error and the computer rebooting itself.

0

I went ahead and ran Adaware and it only found two item's which it successfully got rid of (cookies), and then Spybot S&D came back totally CLEAN!!!.. The hiackthis log is totally clean, and same with dllcompare. The only thing that concerns me now is maybe the VX2 finder Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{2BE5D559-30E5-41F7-8335-5D07419E1634}

I sincerely appreciate all your help thus far, and Daniweb.com is on the top of the list now for me.

0

Here's the most recent silent runner log

"Silent Runners.vbs", revision 28, launched at: 19:44
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" [null data]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

0

Now that you have finished :). Can I have a turn?? I cannot 2nd guess what you are about to do, so, if you want to fix it yourself, you are most welcome :). If you need help, you are welcome to that too. It is too difficult (for me at least) to sift through what you have been doing whilst I have been sleeping, then continue on with a fix.
So, you need to decide what to do. I have already twice requested that you do nothing other than what I have asked :).

0

Now that you have finished :). Can I have a turn?? I cannot 2nd guess what you are about to do, so, if you want to fix it yourself, you are most welcome :). If you need help, you are welcome to that too. It is too difficult (for me at least) to sift through what you have been doing whilst I have been sleeping, then continue on with a fix.
So, you need to decide what to do. I have already twice requested that you do nothing other than what I have asked :).

Crunchie I understand that I was only supposed to do as instructed but I am under time constraints to get this back to my uncle. I went ahead and searched other threads for similar issues and just followed some instructions from there. I don't think I have done anything bad to make the issue worse as things seem to be clean now and all the logs are coming up clean. Like I said the Qoollogic never finishe's so it never generates a log which was the same issue with find it.

If you are no longer willing to help me because I am trying to help someone out under the time contraints I have can you at least tell me if you think im still infected? I apologize for anything I did.

0

Hey, I understand, don't get me wrong. Just look from my side of the fence :). You have to realise that not only do I have all the info you have posted to sift through, but I am probably doing a dozen other logs at the same time, here and at other sites :). I have a real life too and want to get logs cleaned up as fast as I can too.
I am willing to help, but I cannot 2nd guess what you are doing. I do not want to take the time to write up a set of instructions only to find they are no longer valid because the person it was written for has moved the goal posts :).
So, if you are willing to just hold off, I will be able to give you a final clean up procedure :).

Just let me know if you have done anything else :D.

0

Hey, I understand, don't get me wrong. Just look from my side of the fence :). You have to realise that not only do I have all the info you have posted to sift through, but I am probably doing a dozen other logs at the same time, here and at other sites :). I have a real life too and want to get logs cleaned up as fast as I can too.
I am willing to help, but I cannot 2nd guess what you are doing. I do not want to take the time to write up a set of instructions only to find they are no longer valid because the person it was written for has moved the goal posts :).
So, if you are willing to just hold off, I will be able to give you a final clean up procedure :).

Just let me know if you have done anything else :D.

I do understand and sorry again, I don't know how you can do this every day looking at all the logs and I know I made a lot of reading for you, but basically I followed through deleting all those files you told me to with killbox. If you want I can just post 4 fresh log's and you can just see how they look if you want. I am just not sure if something bad is still hiding in the registry. Take your time with the final clean up instructions but it would be nice if it could be before 3 am.

Thanks again and have a good night and Happy New Year!

0

I don't know when 3 am is :). I am in Australia and it's 11.50 am here.
Post a VX@ log, a silent runners log and that should be it. Are you having problems with the recycle bin? Drop something in there and see if you can see it.

0

I think the recycle bin is fine


"Silent Runners.vbs", revision 28, launched at: 23:43
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows 2000


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\System32\hticons.dll" [null data]
"{813790D8-68CD-4318-9F5C-1847AD1AB483}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{FA050674-5655-4D8C-A785-EA25A159DEDB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\su3res.dll" [file not found]
"{F82121F6-B27E-4B55-BF51-41C1B5B3F8EF}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" = "SpySubtract Shell Extension"
-> CLSID InProcServer32 resolves to: "c:\Program Files\interMute\SpySubtract\sshook.dll" ["InterMute, Inc."]
"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]
"{1BDD258C-7D21-48F0-A4B6-A0AC476250F7}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\pjrfos.dll" [file not found]
"{9159CE34-BF49-40D8-AA6D-E116642E9D8C}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINNTOLD\system32\guard.tmp" [file not found]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Applets\DLLName" = "C:\WINNTOLD\system32\fpjm0311e.dll" [file not found]
INFECTION WARNING! "Shell Extensions\DLLName" = "C:\WINNTOLD\system32\guard.tmp" [file not found]


Enabled Scheduled Tasks:
------------------------

"avg" -> launches: "C:\Documents and Settings\JBaker\Desktop\avg.doc" [file not found]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Thom" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users.WINNTOLD\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

Thanks again... it look clean eh?


I downloaded and ran AVG as you can now see in the reg.

0

Only thing is that !Submit folder that was in my C:\ drive will not empty from the recycle in.

Nevermind I removed it.

0

Open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.

0

Unzip the regfile from the zip folder, then double click on it to merge it with your registry. When asked if you want to, click yes. This will get rid of the reg entries left behind.
Did you manage to export that key I requested?

0

Unzip the regfile from the zip folder, then double click on it to merge it with your registry. When asked if you want to, click yes. This will get rid of the reg entries left behind.
Did you manage to export that key I requested?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNTOLD\\system32\\fpjm0311e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNTOLD\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

Thanks much!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.