Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I think I have a whole lot of problems: aurora nail, etc.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby suebaby41 » July 23rd, 2005, 11:12 am

It is good that it asked if you wanted to send it to the recycle bin. We are getting there slowly but surely. LDTate said that it sometimes take several runs of Find.bat before we get all the files.

Ok. Now, please run Find It NT-2K-XP again.

Navigate to the Find It NT-2K-XP folder and double-click on find.bat.

A command prompt will open and it will search your computer for malicious files.
Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post, and include another hijackthis log please.

Try not to reboot after doing this, until I get back to you.
Thanks
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm
Advertisement
Register to Remove

Unread postby Scotters » July 23rd, 2005, 1:31 pm

Ok here is the findit log followed by the hj log.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/23/2005 11:49 AM 417,792 vna256.dll
07/23/2005 02:24 AM 417,792 guard.tmp
07/22/2005 07:01 PM 417,792 ddtrans.dll
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
4 File(s) 1,671,168 bytes
2 Dir(s) 14,792,593,408 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/11/2005 07:53 PM <DIR> DLLCACHE
07/11/2005 07:33 PM 488 logonui.exe.manifest
07/11/2005 07:33 PM 488 WindowsLogon.manifest
07/11/2005 07:33 PM 749 nwc.cpl.manifest
07/11/2005 07:33 PM 749 ncpa.cpl.manifest
07/11/2005 07:33 PM 749 cdplayer.exe.manifest
07/11/2005 07:33 PM 749 sapi.cpl.manifest
07/11/2005 07:33 PM 749 wuaucpl.cpl.manifest
09/18/2004 07:36 PM 10,849 PROSetp.GID
8 File(s) 15,570 bytes
1 Dir(s) 14,792,589,312 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/23/2005 02:24 AM 417,792 guard.tmp
1 File(s) 417,792 bytes
0 Dir(s) 14,792,589,312 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/23/2005 02:24 AM 417,792 guard.tmp
1 File(s) 417,792 bytes
0 Dir(s) 14,792,589,312 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6D877A11-8627-5B74-8914-7FEDA6C3DF90}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
ddtrans.dll Fri Jul 22 2005 7:01:56p ..S.R 417,792 408.00 K
guard.tmp Sat Jul 23 2005 2:25:00a ..S.R 417,792 408.00 K
logonu~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
ncpacp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
nwccpl~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
rzched20.dll Thu Jul 21 2005 6:31:24p ..S.R 417,792 408.00 K
sapicp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
vna256.dll Sat Jul 23 2005 11:49:44a ..S.R 417,792 408.00 K
window~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
wuaucp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K

11 items found: 11 files, 0 directories.
Total of file sizes: 1,675,889 bytes 1.60 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1\\Bin\\INSTAN~1.EXE /h"
"EssSpkPhone"="essspk.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"ATIModeChange"="Ati2mdxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00


here is the hj log:

Logfile of HijackThis v1.99.1
Scan saved at 12:33:33 PM, on 7/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = comcast.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.r5.attbi.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: gameutil.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon ... gctlcm.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/bo ... oardID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\rzched20.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Scotters
Regular Member
 
Posts: 32
Joined: July 14th, 2005, 6:06 pm

Unread postby suebaby41 » July 23rd, 2005, 2:46 pm

Let's repeat this procedure.

If you have not rebooted or shutdown/restarted, proceed as follows:

First, Disconnect from the Internet!!

(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6D877A11-8627-5B74-8914-7FEDA6C3DF90}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions]


Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
____
Now, extract KillBox (downloaded earlier) from the zip file and double-click on KillBox.exe to run it.

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

Back at the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM32\vna256.dll

Press the button with a red circle and a white X.
When asked if you would like to Reboot, select No.

Do the same as above for each of the files that follow, and select No when asked to reboot!

C:\WINDOWS\SYSTEM32 ddtrans.dll

C:\WINDOWS\SYSTEM32 rzched20.dll

C:\RECYCLER\desktop.ini


Finally, in the Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\System32\guard.tmp

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
____
Run Hijack This again and put a check by these if they are still there. Close ALL windows and browsers except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\rzched20.dll


Reboot the computer.

____
Since this intruder may alter the Hosts file, run Hoster (downloaded earlier) again to restore the file:

Select: Restore Original Hosts
Click OK and exit Hoster.
____

Run an AdAware SE (downloaded earlier) FULL SCAN..

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode check Perform full system scan.
Next deselect Search for negligible risk entries.
Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Also, check the Recycle Bin to see if it works properly. A side effect of VX2 is to sometimes damage the Recycle Bin operation.
Create an blank Notepad file on the Desktop: right click the Desktop, select New>Text Document
Right click the text document and delete it.
When a file is deleted, it should ask if you want to send it to Recycle Bin.
Does it ask if you want to send the file to the Recycle Bin, or, does the file just get deleted?
Post back what it does.

When done with all of the above, close all windows and browsers, run HijackThis, Scan, post a new HijackThis log, and a new Find_It log.

If you encounter any problems with the steps above, please describe them.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Unread postby Scotters » July 23rd, 2005, 3:50 pm

I followed all instructions. One slight difference was thatwhen it came time to use hj this and delete fix the three files that you listed R1, and 04 were not there, but 020 was slightly different. It was 020-Winlogon Notify"App Managment" instead of "shell extension. I still fixed that file, since the rest of the line was the same as you had listed.

The good news is that when I ran adaware for the first time there were no bad files! The recycle bin works fine, just as before.

The only bad thing I could see was that in the hj this log there is still that 020 rzched20.dll file.

Here is the hj log:

Logfile of HijackThis v1.99.1
Scan saved at 2:36:03 PM, on 7/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = comcast.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.r5.attbi.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: gameutil.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon ... gctlcm.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/bo ... oardID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\rzched20.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Here is the findit log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/23/2005 02:13 PM 417,792 donaddr.dll
07/23/2005 02:06 PM 417,792 guard.tmp
07/22/2005 07:01 PM 417,792 ddtrans.dll
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
4 File(s) 1,671,168 bytes
2 Dir(s) 14,787,497,984 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/11/2005 07:53 PM <DIR> DLLCACHE
07/11/2005 07:33 PM 488 logonui.exe.manifest
07/11/2005 07:33 PM 488 WindowsLogon.manifest
07/11/2005 07:33 PM 749 nwc.cpl.manifest
07/11/2005 07:33 PM 749 ncpa.cpl.manifest
07/11/2005 07:33 PM 749 cdplayer.exe.manifest
07/11/2005 07:33 PM 749 sapi.cpl.manifest
07/11/2005 07:33 PM 749 wuaucpl.cpl.manifest
09/18/2004 07:36 PM 10,849 PROSetp.GID
8 File(s) 15,570 bytes
1 Dir(s) 14,787,493,888 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/23/2005 02:06 PM 417,792 guard.tmp
1 File(s) 417,792 bytes
0 Dir(s) 14,787,493,888 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/23/2005 02:06 PM 417,792 guard.tmp
1 File(s) 417,792 bytes
0 Dir(s) 14,787,493,888 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D5B4ED8D-2E9B-DB5B-C369-7417B57C0351}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
ddtrans.dll Fri Jul 22 2005 7:01:56p ..S.R 417,792 408.00 K
donaddr.dll Sat Jul 23 2005 2:13:34p ..S.R 417,792 408.00 K
guard.tmp Sat Jul 23 2005 2:06:46p ..S.R 417,792 408.00 K
logonu~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
ncpacp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
nwccpl~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
rzched20.dll Thu Jul 21 2005 6:31:24p ..S.R 417,792 408.00 K
sapicp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
window~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
wuaucp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K

11 items found: 11 files, 0 directories.
Total of file sizes: 1,675,889 bytes 1.60 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1\\Bin\\INSTAN~1.EXE /h"
"EssSpkPhone"="essspk.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"ATIModeChange"="Ati2mdxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00



Scotters
Regular Member
 
Posts: 32
Joined: July 14th, 2005, 6:06 pm

Unread postby suebaby41 » July 23rd, 2005, 5:25 pm

LDTate said that it would take several tries before we can get rid of this. So, let’s do it again.

Stay off the Internet and do not reboot unless instructed to do so. If you reboot, it negates what you have done in Killbox. Repeat this same fix several times. Then post a new FindIt log. Each time, substitute the dll files with the files that will show in the FindIt log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/23/2005 02:13 PM 417,792 donaddr.dll whatever the dll files are named and note that they are the same size
07/23/2005 02:06 PM 417,792 guard.tmp
07/22/2005 07:01 PM 417,792 ddtrans.dll
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
4 File(s) 1,671,168 bytes
2 Dir(s) 14,787,497,984 bytes free


Always include this one:
C:\RECYCLER\desktop.ini
and
this step:
Finally, in the Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\System32\guard.tmp

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls] Make the change to the Regedit4 in blue to correspond with whatever this one says in the findit log
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


When you get down to one or two files, you could try this program.

You may need extra tools to kill off the last 1-2 files
If you find that you are left with one stubborn file which keeps returning after the killbox fix, try MoveOnBoot to get rid of it. Note that you can only delete one file at a time, so it is important that your FindIt log is down to one file, or possibly two. It'll be the same named file which re-appears, plus any new mutations. Use MoveOnBoot to kill off the file with the same name first, then use it to kill off the new one.

Please download MoveOnBoot from HERE
This will allow you to select the file to move or delete and where to move it to and what to rename it.

When you have installed the program, run MoveOnBoot and use the [...] button to choose
C:\WINDOWS\SYSTEM\xxxxxxxxx.DLL then click the Next button.
Choose Delete File and click the Next button.
You will be prompted to complete the procedure, and the machine will reboot.

----------------------------------------------------------------------------------
Do these steps several times.
If you have not rebooted or shutdown/restarted, proceed as follows:

First, Disconnect from the Internet!!

(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6D877A11-8627-5B74-8914-7FEDA6C3DF90}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]


Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
____
Now, extract KillBox (downloaded earlier) from the zip file and double-click on KillBox.exe to run it.

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

Back at the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\SYSTEM32\rzched20.dll


Press the button with a red circle and a white X.
When asked if you would like to Reboot, select No.

Do the same as above for each of the files that follow, and select No when asked to reboot!

C:\WINDOWS\SYSTEM32\ddtrans.dll

C:\WINDOWS\SYSTEM32\donaddr.dll

C:\RECYCLER\desktop.ini


Finally, in the Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\System32\guard.tmp

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
____
Run Hijack This again and put a check by these if they are still there. Close ALL windows and browsers except HijackThis and click "Fix checked"

Reboot the computer.
____
Since this intruder may alter the Hosts file, run Hoster (downloaded earlier) again to restore the file:

Select: Restore Original Hosts
Click OK and exit Hoster.
____

Run an AdAware SE (downloaded earlier) FULL SCAN..

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode check Perform full system scan.
Next deselect Search for negligible risk entries.
Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Also, check the Recycle Bin to see if it works properly. A side effect of VX2 is to sometimes damage the Recycle Bin operation.
Create an blank Notepad file on the Desktop: right click the Desktop, select New>Text Document
Right click the text document and delete it.
When a file is deleted, it should ask if you want to send it to Recycle Bin.
Does it ask if you want to send the file to the Recycle Bin, or, does the file just get deleted?
Post back what it does.

When done with all of the above, close all windows and browsers, run HijackThis, Scan, post a new HijackThis log, and a new Find_It log.

O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\rzched20.dll

If you encounter any problems with the steps above, please describe them.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Unread postby Scotters » July 24th, 2005, 3:30 pm

Suebaby, I have gone through those steps three times now, and findit still shows three .dll files, including good old rzched20.dll every time. Now you said to not use moveonboot until there were only 2 files, but should I use it now?

My second question is when I use moveonboot, do I need to follow all of the other steps as well, just like when I use killbot. For example, after running moveonboot, and deleting the .dll file, can I just reboot and then go after the next file, or do I need to then run hijack this, fix the file, reboot, run hoster, run adawaware, etc., and then start over with the next file?

Here is the findit file and the hj one again:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/24/2005 01:55 PM 417,792 mzhtmled.dll
07/24/2005 01:52 PM 417,792 dcmap.dll
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
3 File(s) 1,253,376 bytes
2 Dir(s) 14,972,657,664 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/11/2005 07:53 PM <DIR> DLLCACHE
07/11/2005 07:33 PM 488 logonui.exe.manifest
07/11/2005 07:33 PM 488 WindowsLogon.manifest
07/11/2005 07:33 PM 749 nwc.cpl.manifest
07/11/2005 07:33 PM 749 ncpa.cpl.manifest
07/11/2005 07:33 PM 749 cdplayer.exe.manifest
07/11/2005 07:33 PM 749 sapi.cpl.manifest
07/11/2005 07:33 PM 749 wuaucpl.cpl.manifest
09/18/2004 07:36 PM 10,849 PROSetp.GID
8 File(s) 15,570 bytes
1 Dir(s) 14,972,653,568 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D5B4ED8D-2E9B-DB5B-C369-7417B57C0351}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
dcmap.dll Sun Jul 24 2005 1:52:46p ..S.R 417,792 408.00 K
logonu~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
mzhtmled.dll Sun Jul 24 2005 1:55:06p ..S.R 417,792 408.00 K
ncpacp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
nwccpl~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
rzched20.dll Thu Jul 21 2005 6:31:24p ..S.R 417,792 408.00 K
sapicp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
window~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
wuaucp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K

10 items found: 10 files, 0 directories.
Total of file sizes: 1,258,097 bytes 1.20 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1\\Bin\\INSTAN~1.EXE /h"
"EssSpkPhone"="essspk.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"ATIModeChange"="Ati2mdxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00


Logfile of HijackThis v1.99.1
Scan saved at 2:24:14 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = comcast.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.r5.attbi.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: gameutil.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon ... gctlcm.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/bo ... oardID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\rzched20.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Scotters
Regular Member
 
Posts: 32
Joined: July 14th, 2005, 6:06 pm

Unread postby Scotters » July 24th, 2005, 5:18 pm

Ok, just for kicks I ran another findit log and there were only two .dll files. I decided to use moveonboot, and the first file I attempted to delete was rzched20.dll. When I rebooted, the rzched file was still there and the other file had changed names, after I did another findit log. Also, when I went on the internet to post the above message I gained another pacific poker icon, which I deleted. I'm not doing anything else until I hear from you. Here is the findit log after using moveonboot to delete rzched20.dll:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/24/2005 02:54 PM 417,792 iQsrad.dll
07/24/2005 02:53 PM 417,792 guard.tmp
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
3 File(s) 1,253,376 bytes
2 Dir(s) 14,967,779,328 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/11/2005 07:53 PM <DIR> DLLCACHE
07/11/2005 07:33 PM 488 logonui.exe.manifest
07/11/2005 07:33 PM 488 WindowsLogon.manifest
07/11/2005 07:33 PM 749 nwc.cpl.manifest
07/11/2005 07:33 PM 749 ncpa.cpl.manifest
07/11/2005 07:33 PM 749 cdplayer.exe.manifest
07/11/2005 07:33 PM 749 sapi.cpl.manifest
07/11/2005 07:33 PM 749 wuaucpl.cpl.manifest
09/18/2004 07:36 PM 10,849 PROSetp.GID
8 File(s) 15,570 bytes
1 Dir(s) 14,967,775,232 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/24/2005 02:53 PM 417,792 guard.tmp
1 File(s) 417,792 bytes
0 Dir(s) 14,967,775,232 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/24/2005 02:53 PM 417,792 guard.tmp
1 File(s) 417,792 bytes
0 Dir(s) 14,967,775,232 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6D877A11-8627-5B74-8914-7FEDA6C3DF90}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
guard.tmp Sun Jul 24 2005 2:53:06p ..S.R 417,792 408.00 K
iqsrad.dll Sun Jul 24 2005 2:54:10p ..S.R 417,792 408.00 K
logonu~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
ncpacp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
nwccpl~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
rzched20.dll Thu Jul 21 2005 6:31:24p ..S.R 417,792 408.00 K
sapicp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
window~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
wuaucp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K

10 items found: 10 files, 0 directories.
Total of file sizes: 1,258,097 bytes 1.20 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1\\Bin\\INSTAN~1.EXE /h"
"EssSpkPhone"="essspk.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"ATIModeChange"="Ati2mdxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00



Scotters
Regular Member
 
Posts: 32
Joined: July 14th, 2005, 6:06 pm

Unread postby suebaby41 » July 24th, 2005, 10:11 pm

Everytime you reboot this infection will change. DO NOT shutdown or REBOOT until instructed to. If you have rebooted since your last post, you'll need to start over with the Findit.bat and post a new HJT log.

If you have not rebooted or shutdown/restarted, proceed as follows:

These instructions need to be performed exactly as posted.

First, Disconnect from the Internet!!
Remove your cable / phone line from the PC.


(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6D877A11-8627-5B74-8914-7FEDA6C3DF90}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]


Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
____
Now, extract KillBox (downloaded earlier) from the zip file and double-click on KillBox.exe to run it.

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

Back at the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\\WINDOWS\\system32\\rzched20.dll


Press the button with a red circle and a white X.
When asked if you would like to Reboot, select No.

Do the same as above for each of the files that follow, and select No when asked to reboot!

C:\WINDOWS\SYSTEM32\iQsrad.dll
C:\RECYCLER\desktop.ini


Finally, in the Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\System32\guard.tmp

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
____
Run Hijack This again and put a check by these if they are still there. Close ALL windows and browsers except HijackThis and click "Fix checked"

Reboot the computer.
____
Run Hosterfix again (downloaded earlier) again to restore the file:

Select: Restore Original Hosts
Click OK and exit Hoster.
____

Run an AdAware SE (downloaded earlier) FULL SCAN..

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode check Perform full system scan.
Next deselect Search for negligible risk entries.
Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Also, check the Recycle Bin to see if it works properly. A side effect of VX2 is to sometimes damage the Recycle Bin operation.
Create an blank Notepad file on the Desktop: right click the Desktop, select New>Text Document
Right click the text document and delete it.
When a file is deleted, it should ask if you want to send it to Recycle Bin.
Does it ask if you want to send the file to the Recycle Bin, or, does the file just get deleted?
Post back what it does.

When done with all of the above, close all windows and browsers

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O20 - Winlogon Notify: Explorer - C:\WINDOWS\system32\rzched20.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"

Post a new HijackThis log, and a new Find_It log.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Unread postby Scotters » July 24th, 2005, 11:16 pm

Once again thanks for your help and persistency. I really appreciate it.

Again, I followed directions exactly. I only reboot when I need to according to the directions.

Btw, after I plugged back into the internet so ADAware could check for updates the pacific poker icon appeared again. I deleted it again. I don't know if this is interfering in what we are trying to do or not.

Here are the logs:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/24/2005 09:35 PM 417,792 airopdf.dll
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
2 File(s) 835,584 bytes
2 Dir(s) 14,943,277,056 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/11/2005 07:53 PM <DIR> DLLCACHE
07/11/2005 07:33 PM 488 logonui.exe.manifest
07/11/2005 07:33 PM 488 WindowsLogon.manifest
07/11/2005 07:33 PM 749 nwc.cpl.manifest
07/11/2005 07:33 PM 749 ncpa.cpl.manifest
07/11/2005 07:33 PM 749 cdplayer.exe.manifest
07/11/2005 07:33 PM 749 sapi.cpl.manifest
07/11/2005 07:33 PM 749 wuaucpl.cpl.manifest
09/18/2004 07:36 PM 10,849 PROSetp.GID
8 File(s) 15,570 bytes
1 Dir(s) 14,943,272,960 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D5B4ED8D-2E9B-DB5B-C369-7417B57C0351}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
airopdf.dll Sun Jul 24 2005 9:36:00p ..S.R 417,792 408.00 K
cdplay~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
logonu~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
ncpacp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
nwccpl~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
rzched20.dll Thu Jul 21 2005 6:31:24p ..S.R 417,792 408.00 K
sapicp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
window~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
wuaucp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K

9 items found: 9 files, 0 directories.
Total of file sizes: 840,305 bytes 820.61 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1\\Bin\\INSTAN~1.EXE /h"
"EssSpkPhone"="essspk.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"ATIModeChange"="Ati2mdxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00


Logfile of HijackThis v1.99.1
Scan saved at 9:57:32 PM, on 7/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Comcast\Security Manager\app\Prism.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = comcast.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.r5.attbi.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: gameutil.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon ... gctlcm.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/bo ... oardID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\rzched20.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Scotters
Regular Member
 
Posts: 32
Joined: July 14th, 2005, 6:06 pm

Unread postby Scotters » July 25th, 2005, 1:03 pm

The power went out last night, so of course the computer rebooted. Here is a new findit log and hj log. All I could see was the name of that one .dll file changed again.

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/25/2005 11:41 AM 417,792 mvtext35.dll
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
2 File(s) 835,584 bytes
2 Dir(s) 14,974,025,728 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/11/2005 07:53 PM <DIR> DLLCACHE
07/11/2005 07:33 PM 488 logonui.exe.manifest
07/11/2005 07:33 PM 488 WindowsLogon.manifest
07/11/2005 07:33 PM 749 nwc.cpl.manifest
07/11/2005 07:33 PM 749 ncpa.cpl.manifest
07/11/2005 07:33 PM 749 cdplayer.exe.manifest
07/11/2005 07:33 PM 749 sapi.cpl.manifest
07/11/2005 07:33 PM 749 wuaucpl.cpl.manifest
09/18/2004 07:36 PM 10,849 PROSetp.GID
8 File(s) 15,570 bytes
1 Dir(s) 14,974,021,632 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6D877A11-8627-5B74-8914-7FEDA6C3DF90}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
logonu~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
mvtext35.dll Mon Jul 25 2005 11:41:56a ..S.R 417,792 408.00 K
ncpacp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
nwccpl~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
rzched20.dll Thu Jul 21 2005 6:31:24p ..S.R 417,792 408.00 K
sapicp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
window~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
wuaucp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K

9 items found: 9 files, 0 directories.
Total of file sizes: 840,305 bytes 820.61 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1\\Bin\\INSTAN~1.EXE /h"
"EssSpkPhone"="essspk.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"ATIModeChange"="Ati2mdxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00





Logfile of HijackThis v1.99.1
Scan saved at 12:00:18 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = comcast.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.r5.attbi.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: gameutil.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon ... gctlcm.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/bo ... oardID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\rzched20.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Scotters
Regular Member
 
Posts: 32
Joined: July 14th, 2005, 6:06 pm

Unread postby suebaby41 » July 25th, 2005, 1:45 pm

We got rid of another file so we are making progress slowly but surely. Repeat the procedure again by doing the following:

Everytime you reboot this infection will change. DO NOT shutdown or REBOOT until instructed to. If you have rebooted since your last post, you'll need to start over with the Findit.bat and post a new HJT log.

If you have not rebooted or shutdown/restarted, proceed as follows:

These instructions need to be performed exactly as posted.

First, Disconnect from the Internet!!
Remove your cable / phone line from the PC.


(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{6D877A11-8627-5B74-8914-7FEDA6C3DF90}"=""

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck]


Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
____
Now, extract KillBox (downloaded earlier) from the zip file and double-click on KillBox.exe to run it.

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

Back at the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:

C:\\WINDOWS\\system32\\rzched20.dll


Press the button with a red circle and a white X.
When asked if you would like to Reboot, select No.

Do the same as above for each of the files that follow, and select No when asked to reboot!

C:\WINDOWS\SYSTEM32\mvtext35.dll

C:\RECYCLER\desktop.ini


Finally, in the Full Path of File to Delete, copy and paste the following:

C:\WINDOWS\System32\guard.tmp

Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
____
Run Hijack This again and put a check by these if they are still there. Close ALL windows and browsers except HijackThis and click "Fix checked"

O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\rzched20.dll


Reboot the computer.
____
Run Hosterfix again (downloaded earlier) again to restore the file:

Select: Restore Original Hosts
Click OK and exit Hoster.
____

Run an AdAware SE (downloaded earlier) FULL SCAN..

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode check Perform full system scan.
Next deselect Search for negligible risk entries.
Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Also, check the Recycle Bin to see if it works properly. A side effect of VX2 is to sometimes damage the Recycle Bin operation.
Create an blank Notepad file on the Desktop: right click the Desktop, select New>Text Document
Right click the text document and delete it.
When a file is deleted, it should ask if you want to send it to Recycle Bin.
Does it ask if you want to send the file to the Recycle Bin, or, does the file just get deleted?
Post back what it does.

When done with all of the above, close all windows and browsers

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these: If they exist.

O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\rzched20.dll

Close ALL windows and browsers except HijackThis and click "Fix checked"

Post a new HijackThis log, and a new Find_It log.
.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Unread postby Scotters » July 25th, 2005, 4:53 pm

I'm glad we are making progress. I followed all the steps. Btw the last few times adaware had a clean scan.

Here are the logs:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Scott Evers\Desktop\finditnt2000xp\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/25/2005 03:20 PM 417,792 okesvr.dll
07/21/2005 06:31 PM 417,792 rzched20.dll
07/11/2005 07:53 PM <DIR> DLLCACHE
03/24/2003 09:05 PM <DIR> Microsoft
2 File(s) 835,584 bytes
2 Dir(s) 14,935,851,008 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32

07/11/2005 07:53 PM <DIR> DLLCACHE
07/11/2005 07:33 PM 488 logonui.exe.manifest
07/11/2005 07:33 PM 488 WindowsLogon.manifest
07/11/2005 07:33 PM 749 nwc.cpl.manifest
07/11/2005 07:33 PM 749 ncpa.cpl.manifest
07/11/2005 07:33 PM 749 cdplayer.exe.manifest
07/11/2005 07:33 PM 749 sapi.cpl.manifest
07/11/2005 07:33 PM 749 wuaucpl.cpl.manifest
09/18/2004 07:36 PM 10,849 PROSetp.GID
8 File(s) 15,570 bytes
1 Dir(s) 14,935,846,912 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 7CCE-0AD0

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D7329D6-0752-CEA1-8AA3-9411C5F8B458}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\rzched20.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
logonu~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
ncpacp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
nwccpl~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
okesvr.dll Mon Jul 25 2005 3:20:06p ..S.R 417,792 408.00 K
rzched20.dll Thu Jul 21 2005 6:31:24p ..S.R 417,792 408.00 K
sapicp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K
window~1.man Mon Jul 11 2005 7:34:00p A..HR 488 0.48 K
wuaucp~1.man Mon Jul 11 2005 7:33:52p A..HR 749 0.73 K

9 items found: 9 files, 0 directories.
Total of file sizes: 840,305 bytes 820.61 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\MRT.exe: (ASPack)
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.61
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.084
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.083
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.08.02b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.07b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.05b
C:\WINDOWS\SYSTEM32\MRT.exe: ASPack 1.02
C:\WINDOWS\SYSTEM32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1\\Bin\\INSTAN~1.EXE /h"
"EssSpkPhone"="essspk.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"ATIModeChange"="Ati2mdxx.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00





Logfile of HijackThis v1.99.1
Scan saved at 3:40:21 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = comcast.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = https://*.r5.attbi.com

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Security Manager Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Comcast\Security Manager\app\AuthBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: gameutil.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon ... gctlcm.cab
O16 - DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} (BoardCtl Class) - http://www.intel.com/design/motherbd/bo ... oardID.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\rzched20.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\comcast\security manager\app\CurtainsSysSvcNt.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Scotters
Regular Member
 
Posts: 32
Joined: July 14th, 2005, 6:06 pm

Unread postby LDTate » July 25th, 2005, 6:08 pm

Hello Scotters,

I see you're online but sue isn't. Important we try this before you reboot.
Lets see if I can help you and suebaby41.


If you have not rebooted or shutdown/restarted, proceed as follows:

First, Disconnect from the Internet!!

(Please copy these instructions to NotePad for copy/paste use, since you will be off the Internet.)
____
Next, launch Notepad, and copy/paste all the blue REGEDIT below to it
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7573AB4A-C0D1-4BE2-9BE0-54451F6BC572}"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]


Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
____
Now, extract KillBox (downloaded earlier) from the zip file and double-click on KillBox.exe to run it.

In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files.

Back at the main screen of KillBox, select the option: Delete on Reboot

In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\SYSTEM32\okesvr.dll
Press the button with a red circle and a white X.
When asked if you would like to Reboot, select No.

Do the same as above for each of the files that follow, and select No when asked to reboot!
C:\\WINDOWS\\system32\\rzched20.dll
C:\RECYCLER\desktop.ini


Finally, in the Full Path of File to Delete, copy and paste the following:
C:\WINDOWS\System32\guard.tmp
Press the button with a red circle and a white X.
When asked to Reboot, select No!!

Exit killbox.

__

Be sure that all windows are closed. Click on START-> RUN. Copy paste the following as it is and click OK.

regsvr32.exe /U C:\WINDOWS\system32\rzched20.dll

You should get a message that it has been uninstalled succesfully.


__
Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

Fix these if you didn't add this policy
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\rzched20.dll


Close ALL windows and browsers except HijackThis and click "Fix checked"


RebooT normal


Then download this program.

http://downloads.subratam.org/DllCompare.exe

Open the program and click the "Run Locate.com" button.
Then click the "Compare" button (this will take a few minutes)
When it finishes click the "Make Log...." button.

Post the dll compare log to this thread Along with a new HijackThis and a new Find-It log
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby suebaby41 » July 25th, 2005, 6:26 pm

Thank you, LDTate. Scotters and I are having a tough time with this one. :evil:
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Unread postby suebaby41 » July 25th, 2005, 6:44 pm

LDTate
Does he need to disable the protection programs and leave them disabled until the fix is complete?

This is a very important step. The protection programs have to be disabled or the fix will NOT work.

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

  1. Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
  2. Click on "Security Agents Status".
  3. Click on "Disable real-time protection".

Next, open Microsoft Anti-Spyware.
  1. Click on the Options menu, then Settings.
  2. Select "Real Time Protection" from the left column.
  3. Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  4. Click the Save button.

Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Please disable Spyware Doctor to prevent it from interfering with the fixes that we are going to be doing. Take particular care to be certain OnGuard real-time blocking is disabled.

Please disable SpySweeper, as it may prevent the removal of some entries. You can enable it after you're clean.
To disable SpySweeper:
Open it click >Options over to the left then >Program Options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware