site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

Broadband Tech > Security > Security > Popups upon startup, Eliete toolbar, and no help..

Search Topic:
 Uniqs:
5482		 Share Topic
Posting?
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
page: 1 · 2
AuthorAll Replies

thildebrand5

join:2004-12-03

Popups upon startup, Eliete toolbar, and no help..

I have run spybot, adaware, hijack this, ewido security suite (which took like 1.5 hours to do a full scan), Spyware Guard, Pest Patrol, and Spyblaster. I've also enabled "Immunize" in Spybot (I believe).

The problem is this: Upon startup of the comp, even if I do NOT open IE, there are windows that open up and load. The really annoying thing is these websites are trying to sell me anti-adware programs... there is NO way I'd buy something that caused the very problem they're trying to fix. Bastards. These windows seem to load up every minute or two minutes. They ALWAY interrupt what I'm currently working on in my system -- so they've virtually made my system inoperable.

It looks like spybot sees some errors after a scan but cannot fix them? They are listed as follows:
CoolWWWsearch.bootconf
Coolwwwsearch.loadbat
coolwwwsearch.msconfd
coolwwwsearch.oslogo
coolwwwsearch.tapicfg
coolwwwsearch.xmlmimefilter
It also says elitebar is fixed, but upon reboot and rescan, EVERY problem that was supposedly fixed is back.

My hijack this log is as follows:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PestPatrol\ppmemcheck.exe
C:\Program Files\PestPatrol\cookiepatrol.exe
C:\Program Files\ICQ\Icq.exe
C:\WINDOWS\System32\kwasio.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PestPatrol\pestpatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll (file missing)
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnzh32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - »security.symantec.com/sscv6/Shar···absa.cab
to forum · permalink · 2004-12-03 21:45:27 ·


NanDog
The Pup Was Female, I'M Not
Premium
join:2003-12-28

That does not look like a full HijackThis log. Please try it again!

to forum · permalink · 2004-12-03 21:49:33 ·

thildebrand5

join:2004-12-03

reply to thildebrand5
Logfile of HijackThis v1.98.2
Scan saved at 6:44:11 PM, on 12/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PestPatrol\PPControl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PestPatrol\ppmemcheck.exe
C:\Program Files\PestPatrol\cookiepatrol.exe
C:\Program Files\ICQ\Icq.exe
C:\WINDOWS\System32\kwasio.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PestPatrol\pestpatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll (file missing)
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnzh32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - »security.symantec.com/sscv6/Shar···absa.cab

That's the entire log

to forum · permalink · 2004-12-03 22:02:56 ·


erwin_mi

join:2004-07-27
Belgium

Definitively fix these:
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll (file missing).

I'm not sure about these:
C:\WINDOWS\System32\kwasio.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnzh32.exe.

After that update to SP2!

to forum · permalink · 2004-12-03 23:11:05 ·

thildebrand5

join:2004-12-03

I have deleted those before. When I restart my comp and rerun hijack this, they are still there. This is what is confusing me.

And SP2 seemed to inhibt me from being able to use windows so I've opted not to use it

Tim

to forum · permalink · 2004-12-04 02:48:00 ·

thildebrand5

join:2004-12-03

reply to thildebrand5
Please someone help. I think eliete bar is gone, but I am still having popups that seem to only happen when I use my mouse. I can load up the computer, and nothing will happen, but as soon as I go to click on something I'll get popups.

I'll post my new hijack this log:

Logfile of HijackThis v1.98.2
Scan saved at 2:01:45 PM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\kwasio.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

And I deleted the above recommended deletions using hijack this, but upon restarting my comp the hijackthis log looks just like I posted above. The deleted entries are back. I booted up in safe mode, ran hijack this, deleted the recommended, ran spybot, and ran adaware... I reboot in normal mode, then EVERYTHING is the same again. NOTHING has changed. Fortunately, Eliete bar seems to have disappeared

Tim - please help! I'm losing the war on my end

to forum · permalink · 2004-12-04 17:05:06 ·


Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

Re: Popups upon startup, Eliete toolbar, and no he

While in safe mode run HJT log and delete
C:\WINDOWS\System32\kwasio.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Scan with VX2 Cleaner an Ad-Aware add on just in case
follow advice on VX2Finder in
»Ad problems with Rundll32 (Windows ME)

Cudni
--
Would you Adam and Eve it?
Help yourself so God can help you..it does exactly what it says on the sig
to forum · permalink · 2004-12-04 17:28:00 ·


John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England

reply to thildebrand5

Re: Popups upon startup, Eliete toolbar, and no help..

You hosts file indicates a look2me infection.

Removal instructions are here.

»www.pchell.com/support/look2me.shtml
--
Better to remain silent and be thought a fool, than to speak and remove all doubt.
to forum · permalink · 2004-12-04 17:32:15 ·


gruau

join:2002-11-06
Baie-Comeau, QC

reply to thildebrand5

Re: Popups upon startup, Eliete toolbar, and no he

Take a look at the Task Scheduler (in the Control Panel) and in the Advanced menu, select Show Hidden Tasks. If there is a hidden task there, delete it.

I cleaned a computer last week that had a self re-infection problem and the cause was a hidden task. What gave me the hint was a message about a missed scheduled task, even after disabling all visible tasks.

Good luck in the cleanup!
--
All Things Macintosh... Because using an Apple Computer is like taking a vacation when you are used to PCs... Especially when PC tech is your day job!
to forum · permalink · 2004-12-04 18:06:56 ·


Zupe
Premium,MVM
join:2001-11-29
New York, NY
3 edits

reply to thildebrand5

Re: Popups upon startup, Eliete toolbar, and no help..

find.zip 477 bytes
(find.bat)
There's a new version of VX2/Look2me that's just shown up recently, and from the symptoms you're describing, it sounds like it may be what you have.

Can you please start off by downloading VX2Finder to your desktop from here: »downloads.subratam.org/VX2Finder(126).exe Start vx2finder, then click on "Click to Find VX2.BetterInternet" and then click "Make Log" and copy and paste the entire contents of the log here.

Also, I'm attaching a batch file I put together called Find.bat. Please download it to your desktop, unzip it, then double-click on it to run it. It should run for a few seconds, then open a text document. Please copy and paste the contents of that document here. Once that's done, close the text file and then press a key and the batch file will clean up after itself and end.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
to forum · permalink · 2004-12-04 18:15:52 ·

thildebrand5

join:2004-12-03

Here's the V2X log:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
policies
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{284D70CF-CDD0-46F1-9356-BC17E8E5657B}

The Find.zip log text is as follows:
Volume in drive C has no label.
Volume Serial Number is 187E-E2CA

Directory of C:\WINDOWS\System32

12/02/2004 07:36 AM dllcache
11/01/2004 08:57 AM 10,022 KGyGaAvL.sys
08/18/2004 07:33 PM 488 logonui.exe.manifest
08/18/2004 07:33 PM 488 WindowsLogon.manifest
08/18/2004 07:33 PM 749 cdplayer.exe.manifest
08/18/2004 07:33 PM 749 sapi.cpl.manifest
08/18/2004 07:33 PM 749 nwc.cpl.manifest
08/18/2004 07:33 PM 749 ncpa.cpl.manifest
08/18/2004 07:33 PM 749 wuaucpl.cpl.manifest
08/28/2002 07:41 PM 569,344 oleaut32.dll
08/28/2002 07:41 PM 401,462 msvcp60.dll
08/23/2001 04:00 AM 50,688 msvcirt.dll
08/23/2001 04:00 AM 995,383 mfc42.dll
08/23/2001 04:00 AM 9,728 regsvr32.exe
08/23/2001 04:00 AM 106,496 olepro32.dll
14 File(s) 2,147,844 bytes
1 Dir(s) 46,388,383,744 bytes free
Volume in drive C has no label.
Volume Serial Number is 187E-E2CA

Directory of C:\WINDOWS\System32

Volume in drive C has no label.
Volume Serial Number is 187E-E2CA

Directory of C:\WINDOWS\System32

10/31/2004 08:49 AM 1,606 PerfStringBackup.TMP
08/29/2002 04:00 AM 2,577 CONFIG.TMP
2 File(s) 4,183 bytes
0 Dir(s) 46,388,379,648 bytes free
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\policies]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\s4rsle971h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



Thank you all

to forum · permalink · 2004-12-04 18:22:59 ·

thildebrand5

join:2004-12-03

reply to thildebrand5
John2G: I ran one of their automatic removal programs following your link. It looks like it wasn't on my system, but it removed it anyways. I restarted the comp and some mofo ass browser window popped up trying to sell me anti-spyware software... what a joke. So, it didn't work

Tim

to forum · permalink · 2004-12-04 18:34:03 ·


Zupe
Premium,MVM
join:2001-11-29
New York, NY
1 edit

reply to thildebrand5
The batch file didn't work quite as well as I'd hoped, but it showed enough to confirm that's what you have. There's no definitive solution for this yet, but we can try:

First, please follow the steps here for enabling viewing of system/hidden files: »www.xtra.co.nz/help/0,,4155-1916458,00.html

Next, please download DLL Compare to your desktop from here: »download.broadbandmedic.com/DllCompare.exe Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.

Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?

to forum · permalink · 2004-12-04 18:38:57 ·

thildebrand5

join:2004-12-03

Here is the log you requested AND there is no guard.tmp inmy windows/system32 dir after viewing hidden files/folders.

Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\cotsrvps.dll Fri Dec 3 2004 10:17:58a ..S.R 225,350 220.07 K
C:\WINDOWS\SYSTEM32\dunet.dll Sat Dec 4 2004 3:39:06p ..S.R 223,859 218.61 K
C:\WINDOWS\SYSTEM32\gpr6l3~1.dll Sat Dec 4 2004 3:39:06p ..S.R 225,552 220.27 K
C:\WINDOWS\SYSTEM32\mfc42.dll Thu Aug 23 2001 4:00:00a ..SH. 995,383 972.05 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Thu Aug 23 2001 4:00:00a ..SH. 50,688 49.50 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Wed Aug 28 2002 7:41:08p ..SH. 401,462 392.05 K
C:\WINDOWS\SYSTEM32\n2l80c~1.dll Sat Dec 4 2004 3:30:52p ..S.R 224,691 219.42 K
C:\WINDOWS\SYSTEM32\o4ns0e~1.dll Sat Dec 4 2004 11:23:24a ..S.R 223,859 218.61 K
C:\WINDOWS\SYSTEM32\oce2nls.dll Sat Dec 4 2004 11:05:24a ..S.R 226,214 220.91 K
C:\WINDOWS\SYSTEM32\oleaut32.dll Wed Aug 28 2002 7:41:10p A.SH. 569,344 556.00 K
C:\WINDOWS\SYSTEM32\olepro32.dll Thu Aug 23 2001 4:00:00a ..SH. 106,496 104.00 K
C:\WINDOWS\SYSTEM32\q8nuli~1.dll Fri Dec 3 2004 12:23:58p ..S.R 225,350 220.07 K
________________________________________________

1,438 items found: 1,438 files (12 H/S), 0 directories.
Total of file sizes: 310,214,245 bytes 295.84 M

Administrator Account = True

--------------------End log---------------------

to forum · permalink · 2004-12-04 19:36:02 ·


Zupe
Premium,MVM
join:2001-11-29
New York, NY

Alright, please download Pocket Killbox to your desktop from here: »download.broadbandmedic.com/Killbox.exe

Start Killbox and click on Tools->Delete Temp Files.

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM32\cotsrvps.dll

C:\WINDOWS\SYSTEM32\dunet.dll

C:\WINDOWS\SYSTEM32\gpr6l3~1.dll

C:\WINDOWS\SYSTEM32\n2l80c~1.dll

C:\WINDOWS\SYSTEM32\o4ns0e~1.dll

C:\WINDOWS\SYSTEM32\oce2nls.dll

C:\WINDOWS\SYSTEM32\q8nuli~1.dll

C:\WINDOWS\SYSTEM32\s4rsle971h.dll

C:\WINDOWS\SYSTEM32\Guard.tmp

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

When it reboots, please post a new DllCompare log and a new Hijack This log.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?

to forum · permalink · 2004-12-04 19:56:20 ·


NanDog
The Pup Was Female, I'M Not
Premium
join:2003-12-28
1 edit

reply to thildebrand5
Zupe, can you provide a link to information on this new ver of VX2/Look2me? As an aspiring HJT analyst, I'd like to know what's currently up. Thanks!

Edit: Sorry to the OP! Upon reflection I should've IM'ed Zupe rather than posting here. Mea Culpa!

to forum · permalink · 2004-12-04 20:37:12 ·

thildebrand5

join:2004-12-03

reply to thildebrand5
DLL Compare Log after following the above actions deleting some .dlls and deleting others upon reboot:
* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\mfc42.dll Thu Aug 23 2001 4:00:00a ..SH. 995,383 972.05 K
C:\WINDOWS\SYSTEM32\msvcirt.dll Thu Aug 23 2001 4:00:00a ..SH. 50,688 49.50 K
C:\WINDOWS\SYSTEM32\msvcp60.dll Wed Aug 28 2002 7:41:08p ..SH. 401,462 392.05 K
C:\WINDOWS\SYSTEM32\oleaut32.dll Wed Aug 28 2002 7:41:10p A.SH. 569,344 556.00 K
C:\WINDOWS\SYSTEM32\olepro32.dll Thu Aug 23 2001 4:00:00a ..SH. 106,496 104.00 K
________________________________________________

1,431 items found: 1,431 files (5 H/S), 0 directories.
Total of file sizes: 308,639,370 bytes 294.34 M

Administrator Account = True

--------------------End log---------------------

NEW HIJACK THIS LOG:
Logfile of HijackThis v1.98.2
Scan saved at 2:37:44 PM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\kwasio.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\hijackthis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

Tim H

to forum · permalink · 2004-12-05 17:39:35 ·


Zupe
Premium,MVM
join:2001-11-29
New York, NY
1 edit

FindIt.zip 13,867 bytes
Alright, so far it seems to be working.

First, can you please make sure there's no C:\WINDOWS\SYSTEM32\Guard.tmp file visible now (if there is, please stop and post back).

Assuming there isn't: please unzip Hijack This to a folder of its own (ex. C:\HJT).

Once you've done that, with all windows closed, scan with Hijack This, put checks next to the items I've quoted below and click "Fix Checked":

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearc
Reboot.

After rebooting, please post a new Hijack This log, as well as a new log with VX2Finder. Finally, can you download the attached file and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?
to forum · permalink · 2004-12-05 17:58:25 ·

thildebrand5

join:2004-12-03

VX2 Finder log after selecing the hijack this entries to fix:
Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
CSCSettings
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{284D70CF-CDD0-46F1-9356-BC17E8E5657B}

FIND IT LOG:
Volume in drive C has no label.
Volume Serial Number is 187E-E2CA

Directory of C:\WINDOWS\System32

12/02/2004 07:36 AM dllcache
11/01/2004 08:57 AM 10,022 KGyGaAvL.sys
08/18/2004 07:33 PM 488 logonui.exe.manifest
08/18/2004 07:33 PM 488 WindowsLogon.manifest
08/18/2004 07:33 PM 749 cdplayer.exe.manifest
08/18/2004 07:33 PM 749 sapi.cpl.manifest
08/18/2004 07:33 PM 749 nwc.cpl.manifest
08/18/2004 07:33 PM 749 ncpa.cpl.manifest
08/18/2004 07:33 PM 749 wuaucpl.cpl.manifest
08/28/2002 07:41 PM 569,344 oleaut32.dll
08/28/2002 07:41 PM 401,462 msvcp60.dll
08/23/2001 04:00 AM 50,688 msvcirt.dll
08/23/2001 04:00 AM 995,383 mfc42.dll
08/23/2001 04:00 AM 9,728 regsvr32.exe
08/23/2001 04:00 AM 106,496 olepro32.dll
14 File(s) 2,147,844 bytes
1 Dir(s) 44,045,918,208 bytes free
Volume in drive C has no label.
Volume Serial Number is 187E-E2CA

Directory of C:\WINDOWS\System32

Volume in drive C has no label.
Volume Serial Number is 187E-E2CA

Directory of C:\WINDOWS\System32

10/31/2004 08:49 AM 1,606 PerfStringBackup.TMP
08/29/2002 04:00 AM 2,577 CONFIG.TMP
2 File(s) 4,183 bytes
0 Dir(s) 44,045,914,112 bytes free
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpr6l39s1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001



to forum · permalink · 2004-12-05 20:05:26 ·

thildebrand5

join:2004-12-03

Hijack this log is now as follows:
Logfile of HijackThis v1.98.2
Scan saved at 5:07:22 PM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\kwasio.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

Whatever we're doing seems to be working on my end. I get a popup when I log on to this forum even though I have google popup blocker, but the persistent evil that is the old windows opening every 1 minute seems to be neutralized. If there are more problems you see in my logs then I am willing to continue until everything is fixed.

Tim

to forum · permalink · 2004-12-05 20:09:26 ·
Forums > Broadband Tech > Security > Security
page: 1 · 2

Monday, 04-Jun 10:08:48 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics