My Comp is so Hijacked

actually 3 hosts

actually 5 host files showed up. do i delete them except for the 1 that you origionally posted


C:\Documents and settings
C:\l386\HOSTS
C:\Program Files\KaZaA Lite\New Kazaa\kazaalite_202_b1\second stage\HOSTS
C:\WINDOWS\l386\HOSTS
C:\WINDOWS\SYSTEM32\drivers\etc\hosts

 

I would be inclined to say that these 3 are legitimate.

C:\l386\HOSTS
C:\WINDOWS\l386\HOSTS
C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Click each one to highlight then click Use Notepad to view. They should all have the same contents that I posted before as the default. An educated guess would be that the other two should be gotten rid of, but I would be interested in their contents first. Please post them. (highlight then click Use Notepad, copy and paste here)

 

Again, right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Download the Domains.zip file attached to this post. Extract the files and double click the RemoveDomains.reg to merge to the registry, then the ResetDomains.reg to merge to the registry.


Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\addep32.exe

Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot ". On the next screen, click on the File menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Do not reboot.
Click the Killbox again and copy paste the following.

C:\WINDOWS\System32\tibs3.exe

Repeat the above steps then copy/paste the following;

C:\WINDOWS\system32\addua32.dll

Repeat the above steps and allow reboot.


Scan again with HJT and fix the following entries if present. Otherwise, save the log and post it.

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [addep32.exe] C:\WINDOWS\system32\addep32.exe

If present, reboot and do another scan, posting the log.

 

Heres my new log

i turned system restore off.finished using killbox. i reset used HJT and heres my post

Logfile of HijackThis v1.98.2
Scan saved at 3:56:51 PM, on 12/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\HJT\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\atlsj.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\atlii.exe
C:\HJT\HijackThis(new).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wycyb.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wycyb.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wycyb.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wycyb.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wycyb.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wycyb.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wycyb.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {248F4AA0-2FBE-AC94-9343-FA3E8832F5B2} - C:\WINDOWS\ntww.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-ca\msntb.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [AVG_CC] C:\HJT\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

noahdfear i sent u the two files in an email yesterday did you get them? i also amgonna send you the hosts files in a bit. its to big to post. the kazaa is over 6000 letters

 

Yes, I got your emails, which is what I based the above recommendations on, and also why the trusted zone entry is gone from your log. It does appear however, that part of the original infection has either returned, or was never properly removed.

Download: Service Filter

http://home.comcast.net/~rand1038/v...rviceFilter.zip

Unzip the downloaded file and double-click ServiceFilter.vbs
It generates a list that opens in Wordpad. Copy and paste the contents in your next reply.

 

it says file not found for the link

it says file not found for the link

 

Yup Dave. You posted a blown link.

 

Sorry. Try this one.

http://home.comcast.net/~rand1038/

 

Service

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All "
Next click "Edit" again then "Copy "
Now right click in the forum post box then click "Paste "

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 12, 2004 6:31:06 PM


===> Begin Service Listing <===

Unknown Service #1
Service Name: AvgServ
Display Name: AVG6 Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\hjt\avgserv.exe
State: Running
Process ID: 1856
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: ImapiService
Display Name: IMAPI CD-Burning COM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this ...
Service Type: Own Process
Path: c:\windows\system32\imapirox.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: ISEXEng
Display Name: ISEXEng
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\angelex.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 4
Service Name: NISSERV
Display Name: Norton Internet Security Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\norton internet security\nisserv.exe
State: Running
Process ID: 1292
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 5
Service Name: SpyKeyloggerService
Display Name: Spy-Keylogger
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\trevor\emu\basiliskii_win32_20012001\basiliskii\setup\cd-rom drivers\9x\spykeylogger\skls.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #6
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{629945eb-4822-491d-8085-b2a660303dee}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 7
Service Name: SymProxySvc
Display Name: Norton Internet Security Proxy Service
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec Transparent Proxy ...
Service Type: Own Process
Path: c:\program files\norton internet security\symproxysvc.exe
State: Running
Process ID: 1644
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 8
Service Name: %AFÃ¥¤¶Ã€¨
Display Name: Network Security Service (NSS)
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\atlii.exe /s
State: Running
Process ID: 508
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 85 Win32 services on this machine.
8 were unrecognized.

Script Execution Time: 13.9375 seconds.


the Spy-Keylogger i had to use on my bros

 

It's very important to follow the instructions completely, and in the order given.

You should already have AboutBuster and cwsserviceremove from this post. Open AboutBuster and check for updates. Close for now.

Check Ad-aware for updates. Close for now.

Click start then run and type services.msc, then hit enter. Locate Network Security Service, right click and choose properties. Stop the service, then set to disabled. Click Apply then OK. Then locate ISEXEng, stop and disable. Close the services window.

Make sure system restore is off.

Scan again with HijackThis and place a check next to the following entries. Close all other windows and click fix.

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {248F4AA0-2FBE-AC94-9343-FA3E8832F5B2} - C:\WINDOWS\ntww.dll
O4 - HKLM\..\Run: [atlsj.exe] C:\WINDOWS\atlsj.exe

Reboot to safe mode.

Double click cwsserviceremove.reg to merge the information to the registry.

Open CWShredder, close ALL other windows and click fix.

Use the Killbox method shown here to mark the following files for deletion and close.
C:\WINDOWS\atlsj.exe
C:\WINDOWS\atlii.exe
C:\WINDOWS\system32\angelex.exe
C:\WINDOWS\system32\calsp.dll
C:\WINDOWS\ntww.dll

Open AboutBuster, click start then OK. Exit when finished.

Open Ad-aware and run in full scan mode. Delete all it finds.

Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.

Open the control panel, then Internet Options. On the general tab, click delete files. Check the popup box for offline content and ok.

Empty the recycle bin.

Reboot back to Windows. Open LSPFix and check the box I know what I am doing, then click finish. Run another HijackThis scan and post the log.

 

so far so good

i still get pop ups but its better than before.

for LSP-FIX i fixed the 1 you told me before. there are 3 more files i dont know if i should put them to remove

MSWSOCK.dll
winrnr.dll
rsvpsp.dll

and in ad-aware a message showed up saying it cant delete

c:\windows\system32\p860ij7e8o.dll



heres my new log


Logfile of HijackThis v1.98.2
Scan saved at 11:19:06 PM, on 12/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\HJT\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis(new).exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.2001.0001\en-ca\msntb.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [AVG_CC] C:\HJT\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

also for 2 weeks now, for some reason www.hotmail.com wont work on this computer. you click sign in and it just goes to done

 

Download FindIt.zip and unzip it to your desktop. Go into the FindIt folder and run the Find.bat file. When finished, it will open a notepad named output.txt. Copy and paste the results here.

Those 3 Winsock files are OK.

 

Find it log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 64B8-58D3

Directory of C:\WINDOWS\System32

12/15/2004 04:13 PM 223,768 mscsubs.dll
12/14/2004 12:03 AM 223,865 hrjo0513e.dll
12/13/2004 11:12 PM 223,768 kt04l7dq1.dll
12/13/2004 10:05 PM <DIR> dllcache
12/13/2004 06:36 PM 223,768 fpswzrd.dll
12/10/2004 12:21 AM 222,890 fp0q03d5e.dll
12/07/2004 07:29 PM 222,890 l46olej31ho.dll
12/06/2004 04:43 PM 225,673 mvxbde40.dll
11/29/2004 05:52 AM 11,595 ipxl.exe
11/28/2004 01:48 AM 56,320 ntplh.dll
11/25/2004 12:36 AM 56,320 kssxe.dll
11/23/2004 12:27 PM 10,906 ieda32.exe
11/17/2004 06:13 AM 11,174 addqe.exe
11/14/2004 01:56 AM 56,320 pippt.dll
11/10/2004 10:56 AM 56,320 kjflf.dll
09/24/2003 08:00 PM <DIR> Microsoft
08/29/2002 05:41 AM 323,072 msvcrt.dll
08/29/2002 05:41 AM 401,462 msvcp60.dll
08/18/2001 12:36 AM 9,728 regsvr32.exe
08/18/2001 12:36 AM 50,688 msvcirt.dll
08/18/2001 12:36 AM 995,383 mfc42.dll
19 File(s) 3,605,910 bytes
2 Dir(s) 18,870,099,968 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is HP_PAVILION
Volume Serial Number is 64B8-58D3

Directory of C:\WINDOWS\System32

12/13/2004 10:05 PM <DIR> dllcache
11/29/2004 05:52 AM 11,595 ipxl.exe
11/28/2004 01:48 AM 56,320 ntplh.dll
11/25/2004 12:36 AM 56,320 kssxe.dll
11/23/2004 12:27 PM 10,906 ieda32.exe
11/17/2004 06:13 AM 11,174 addqe.exe
11/14/2004 01:56 AM 56,320 pippt.dll
11/10/2004 10:56 AM 56,320 kjflf.dll
08/29/2002 05:41 AM 323,072 msvcrt.dll
08/29/2002 05:41 AM 401,462 msvcp60.dll
09/04/2001 10:11 PM 488 WindowsLogon.manifest
09/04/2001 10:11 PM 488 logonui.exe.manifest
09/04/2001 10:11 PM 749 cdplayer.exe.manifest
09/04/2001 10:11 PM 749 sapi.cpl.manifest
09/04/2001 10:11 PM 749 nwc.cpl.manifest
09/04/2001 10:11 PM 749 wuaucpl.cpl.manifest
09/04/2001 10:11 PM 749 ncpa.cpl.manifest
08/18/2001 12:36 AM 9,728 regsvr32.exe
08/18/2001 12:36 AM 50,688 msvcirt.dll
08/18/2001 12:36 AM 995,383 mfc42.dll
19 File(s) 2,044,009 bytes
1 Dir(s) 18,870,095,872 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is HP_PAVILION
Volume Serial Number is 64B8-58D3

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is HP_PAVILION
Volume Serial Number is 64B8-58D3

Directory of C:\WINDOWS\System32

08/18/2001 07:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 18,870,095,872 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{CDA7AE97-FFFE-492D-9D33-D82A21D5634D} "=" "


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff "= "ChainWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous "=dword:00000000
"Impersonate "=dword:00000000
"DllName "=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff "= "CryptnetWlxLogoffEvent "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName "= "cscdll.dll "
"Logon "= "WinlogonLogonEvent "
"Logoff "= "WinlogonLogoffEvent "
"ScreenSaver "= "WinlogonScreenSaverEvent "
"Startup "= "WinlogonStartupEvent "
"Shutdown "= "WinlogonShutdownEvent "
"StartShell "= "WinlogonStartShellEvent "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\kt04l7dq1.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName "= "wlnotify.dll "
"Logon "= "SCardStartCertProp "
"Logoff "= "SCardStopCertProp "
"Lock "= "SCardSuspendCertProp "
"Unlock "= "SCardResumeCertProp "
"Enabled "=dword:00000001
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate "=dword:00000000
"StartShell "= "SchedStartShell "
"Logoff "= "SchedEventLogOff "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff "= "WLEventLogoff "
"Impersonate "=dword:00000000
"Asynchronous "=dword:00000001
"DllName "=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName "= "WlNotify.dll "
"Lock "= "SensLockEvent "
"Logon "= "SensLogonEvent "
"Logoff "= "SensLogoffEvent "
"Safe "=dword:00000001
"MaxWait "=dword:00000258
"StartScreenSaver "= "SensStartScreenSaverEvent "
"StopScreenSaver "= "SensStopScreenSaverEvent "
"Startup "= "SensStartupEvent "
"Shutdown "= "SensShutdownEvent "
"StartShell "= "SensStartShellEvent "
"PostShell "= "SensPostShellEvent "
"Disconnect "= "SensDisconnectEvent "
"Reconnect "= "SensReconnectEvent "
"Unlock "= "SensUnlockEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous "=dword:00000000
"DllName "=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate "=dword:00000000
"Logoff "= "TSEventLogoff "
"Logon "= "TSEventLogon "
"PostShell "= "TSEventPostShell "
"Shutdown "= "TSEventShutdown "
"StartShell "= "TSEventStartShell "
"Startup "= "TSEventStartup "
"MaxWait "=dword:00000258
"Reconnect "= "TSEventReconnect "
"Disconnect "= "TSEventDisconnect "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName "= "wlnotify.dll "
"Logon "= "RegisterTicketExpiredNotificationEvent "
"Logoff "= "UnregisterTicketExpiredNotificationEvent "
"Impersonate "=dword:00000001
"Asynchronous "=dword:00000001


---------------- Xfind Locked Files -----------------


-------------- XFind Qoologic Results --------------


-------------- XFind Aspack Results ---------------


-------------- Locate.com Results ---------------


 

Sorry I haven't gotten back to you on this sooner. I've been away for a few days.

I have attached a text file to this post. Download it and save to the desktop. Right click it and rename, changing only the txt extension to reg

Close ALL windows then double click the RemHosts.reg to merge the information to the registry.

Open the Killbox. Use the same method as before, here, to mark all of the following for deletion, then reboot. (you can copy these to notepad and save it, then after merging the reg file open it and copy/paste these file paths into the Killbox)

C:\WINDOWS\System32\mscsubs.dll
C:\WINDOWS\System32\hrjo0513e.dll
C:\WINDOWS\System32\l46olej31ho.dll
C:\WINDOWS\System32\fpswzrd.dll
C:\WINDOWS\System32\fp0q03d5e.dll
C:\WINDOWS\System32\l46olej31ho.dll
C:\WINDOWS\System32\mvxbde40.dll
C:\WINDOWS\System32\ipxl.exe
C:\WINDOWS\System32\ntplh.dll
C:\WINDOWS\System32\kssxe.dll
C:\WINDOWS\System32\ieda32.exe
C:\WINDOWS\System32\addqe.exe
C:\WINDOWS\System32\pippt.dll
C:\WINDOWS\System32\kjflf.dll
C:\WINDOWS\System32\p860ij7e8o.dll


Upon reboot, run HijackThis and place a check next to the following items, then click fix.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

Reboot again and create a new HJT log, then post it.

Run another Ad-aware scan and let us know what turns up.

 

remhosts.reg

when i save it to desktop it goes to notepad. i change it to a .reg file and it stays the same i double click it it says

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{CDA7AE97-FFFE-492D-9D33-D82A21D5634D} "=-

ill still do the kill box

 

I've attached a zip file containing the reg file.

 

?

so do you still want me to do this again? after i use the reg file
C:\WINDOWS\System32\mscsubs.dll
C:\WINDOWS\System32\hrjo0513e.dll
C:\WINDOWS\System32\l46olej31ho.dll
C:\WINDOWS\System32\fpswzrd.dll
C:\WINDOWS\System32\fp0q03d5e.dll
C:\WINDOWS\System32\l46olej31ho.dll
C:\WINDOWS\System32\mvxbde40.dll
C:\WINDOWS\System32\ipxl.exe
C:\WINDOWS\System32\ntplh.dll
C:\WINDOWS\System32\kssxe.dll
C:\WINDOWS\System32\ieda32.exe
C:\WINDOWS\System32\addqe.exe
C:\WINDOWS\System32\pippt.dll
C:\WINDOWS\System32\kjflf.dll
C:\WINDOWS\System32\p860ij7e8o.dll

 

Yes.

 

Heres my new log

Logfile of HijackThis v1.99.0
Scan saved at 6:58:04 PM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\HJT\avgcc32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [AVG_CC] C:\HJT\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe "
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\HJT\avgserv.exe
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Spy-Keylogger - Unknown - C:\Trevor\Emu\BasiliskII_win32_20012001\BasiliskII\Setup\CD-ROM drivers\9x\SpyKeyLogger\skls.exe (file missing)
O23 - Service: Norton Internet Security Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\atlii.exe (file missing)

 

Did you run HJT again, (after merging the reg file and using the Killbox to delete those system32 files) and fix these entries with it?

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

If not, do so and post a new log. If you did, run the Find.bat again and post the log.

I'm assuming you added this entry to the trusted zone;
O15 - Trusted IP range: 206.161.125.149

since it appears to be an ISP...........BTN??

I would recommend you fix this one though:
O15 - Trusted IP range: (HKLM)

I also recommend you get rid of either AVG or Norton, since running both can cause conflicts and make either or both completely worthless. (noticed you need to do the same on you other comp too )

You should have a folder named !submit in Local Disk C: Please create a zip folder of it and attach to an email at this address.