|
Posted by Mike on April 28, 2005, 11:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
Please help.
Dell D800 notebook infested with malware and spyware
W2K Pro,sp4, ran ad-aware 6 and ad-aware se, spybot w/ latest files, mcafee
w/ cuurrent .dat, clean.exe, rkfiles, remv3.
rkfiles log
C:\Documents and Settings\lisa\Desktop\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES,
THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING.
IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\SYSTEM32\AUNPS2.dll: UPX!
C:\WINNT\SYSTEM32\c41bUs.dll: UPX!
C:\WINNT\SYSTEM32\nroao.dll: UPX!
C:\WINNT\SYSTEM32\pyeteip.dll: UPX!
C:\WINNT\SYSTEM32\rzavap.exe: UPX!
C:\WINNT\SYSTEM32\thin-94-1-x-x.exe: UPX!
C:\WINNT\SYSTEM32\winup2date.dll: UPX!
C:\WINNT\SYSTEM32\wmconfig.cpl: UPX!
C:\WINNT\SYSTEM32\eliteyrs32.exe: FSG!
Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\daun.exe: UPX!
Files Found in all users windows Folder............
------------------------
Finished
bye
remv3 log.txt
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might
also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 7CB0-D14C
Directory of C:\WINNT\SYSTEM32
msi.dll
bad1.txt was empty.
**************************************************
*********************
Logfile of HijackThis v1.99.1
Scan saved at 10:35:23 PM, on 04/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\lisa\Local Settings\Temp\HijackThis.exe
Hijackthis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DLMaxObj Class - -
C:\WINNT\dlmax.dll
O2 - BHO: Band Class - -
C:\WINNT\systb.dll
O2 - BHO: Yahoo! Companion BHO - -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: PBHelper - - C:\Program
Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: Google Toolbar Helper - -
c:\program files\google\googletoolbar1.dll
O2 - BHO: OemjiSearchPlus - -
C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
O2 - BHO: (no name) - - (no file)
O3 - Toolbar: Yahoo! Toolbar - -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O3 - Toolbar: Oemji - - C:\Program
Files\Oemji\Toolbar\OemjiSrc.dll
O3 - Toolbar: &Google - - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program
Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Documents and
Settings\vhabaldixonl\Desktop\AirPlusCFG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [92691a269588] C:\WINNT\system32\atl28733.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [ussX3nX] dmotemon.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application
Data\msw\BMan1.exe
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\eliteyel32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe
O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [fB37Rhb3j] dmdstaller.exe
O4 - HKCU\..\Run: [oipdoc] C:\WINNT\system32\oipdoc.exe
O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk =
C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
O4 - Global Startup: daun.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line
Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - - C:\Program
Files\AIM\aim.exe
O16 - DPF: Yahoo! Dots -
http://download.games.yahoo.com/gam...ts/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish -
http://download.games.yahoo.com/gam...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/gam...ts/y/pote_x.cab
O16 - DPF: (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program
Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) -
Broadcom Corp. - C:\WINNT\System32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common
Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINNT\System32\nvsvc32.exe
I had deleted some files manually before posting my original message to this
forum. Getting errors - error loading c:\winnt\cfgmg5, etc.
Mike
|
|
Posted by Mike on April 28, 2005, 11:25 am
If you were Registered and logged in, you could reply and use other advanced thread options
Is this the correct newsgroup for my post?
Mike
|
|
XML site map