|
WE HAVE MOVED. Please see our NEW Computer Forums |
11-8-2009: Sorry for the inconvenience. We finally upgraded to vBulletin 3 !! See you there, Larry Malware/Spyware InfestationGo to the Tech-Forums Discussion Home PagePosted by: mike1 Dell D800 notebook infested with malware and spyware W2K Pro,sp4,(all latest patches) ran ad-aware 6 and ad-aware se, mcafee w/ cuurrent .dat, clean.exe, rkfiles, remv3. Please Help. rkfiles log C:\Documents and Settings\lisa\Desktop\rkfiles PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINNT\SYSTEM32\AUNPS2.dll: UPX! C:\WINNT\SYSTEM32\c41bUs.dll: UPX! C:\WINNT\SYSTEM32\nroao.dll: UPX! C:\WINNT\SYSTEM32\pyeteip.dll: UPX! C:\WINNT\SYSTEM32\rzavap.exe: UPX! C:\WINNT\SYSTEM32\thin-94-1-x-x.exe: UPX! C:\WINNT\SYSTEM32\winup2date.dll: UPX! C:\WINNT\SYSTEM32\wmconfig.cpl: UPX! C:\WINNT\SYSTEM32\eliteyrs32.exe: FSG! Files Found in all users startup Folder............ ------------------------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\daun.exe: UPX! Files Found in all users windows Folder............ ------------------------ Finished bye remv3 log.txt Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is 7CB0-D14C Directory of C:\WINNT\SYSTEM32 msi.dll bad1.txt was empty. ************************************************** ********************* Logfile of HijackThis v1.99.1 Scan saved at 10:35:23 PM, on 04/27/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\lisa\Local Settings\Temp\HijackThis.exe Hijackthis log: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://government.dellnet.com/[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.yahoo.com/[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINNT\dlmax.dll O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSrc.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Documents and Settings\vhabaldixonl\Desktop\AirPlusCFG.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16 O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [bascstray] BascsTray.exe O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [92691a269588] C:\WINNT\system32\atl28733.exe O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun O4 - HKLM\..\Run: [ussX3nX] dmotemon.exe O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\eliteyel32.exe O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [fB37Rhb3j] dmdstaller.exe O4 - HKCU\..\Run: [oipdoc] C:\WINNT\system32\oipdoc.exe O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk = C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe O4 - Global Startup: daun.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: Yahoo! Dots - [url]http://download.games.yahoo.com/games/clients/y/dtt1_x.cab[/url] O16 - DPF: Yahoo! Go Fish - [url]http://download.games.yahoo.com/games/clients/y/zt3_x.cab[/url] O16 - DPF: Yahoo! Pool 2 - [url]http://download.games.yahoo.com/games/clients/y/pote_x.cab[/url] O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409[/url] O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINNT\System32\basfipm.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe I had deleted some files manually before posting my original message to this forum. Getting errors - error loading c:\winnt\cfgmg5, etc. Mike Posted by: mike1 also ran spy bot with updated files. Mike Posted by: Warez Monster Remove entries at your own risk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] This entry should be fixed by HijackThis! R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] This entry should be fixed by HijackThis! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] This entry should be fixed by HijackThis! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] This entry should be fixed by HijackThis! R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = This entry should be fixed by HijackThis! [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] This entry should be fixed by HijackThis! R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [url]http://websearch.drsnsrch.com/sidesearch.cgi?id=[/url] This entry should be fixed by HijackThis! R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= This entry should be fixed by HijackThis! O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll Entries found in this registry zone are potentially nasty. This application ([01F44A8A-8C97-4325-A378-76E68DC4AB2E] - Result: 01F44A8A-8C97-4325-A378-76E68DC4AB2E) has been checked Must be fixed! O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll Entries found in this registry zone are potentially nasty. This application ([D240DC29-C093-4388-B71F-A7103C796B0C] - Result: D240DC29-C093-4388-B71F-A7103C796B0C) has been checked Must be fixed! O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file) Entries found in this registry zone are potentially nasty. This application ([ED103D9F-3070-4580-AB1E-E5C179C1AE41] - Result: ED103D9F-3070-4580-AB1E-E5C179C1AE41) has been checked Must be fixed! Unnecessary (deactivated) entry that can be fixed. O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSrc.dll Should be fixed. Posted by: mike1 Thanks, but I've alreadly cleaned it. Posted by: Warez Monster OK, well thanks. Please Visit the Online Configurator, Email Hosting, Internet Marketing , Computer Schools , Software for Real Estate , AAOutlook , Search Engine Site |