79 replies to this topic

[devotion]

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\dkrpsetu.dll Sat Mar 11 2006 8:11:36a ..S.R 233,739 228.26 K
C:\WINNT\SYSTEM32\g6lm0g~1.dll Sat Mar 11 2006 8:11:34a ..S.R 233,875 228.39 K
________________________________________________

1,043 items found: 1,043 files (2 H/S), 0 directories.
Total of file sizes: 189,986,876 bytes 181.18 M

Administrator Account = True

--------------------End log---------------------


Logfile of HijackThis v1.99.1
Scan saved at 8:16:35 AM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: URL - C:\WINNT\system32\gpjsl3171.dll (file missing)
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\ssim.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[LDTate]

Repeat the same process for these.

C:\WINNT\SYSTEM32\dkrpsetu.dll
C:\WINNT\SYSTEM32\g6lm0g~1.dll
C:\WINNT\system32\gpjsl3171.dll
C:\WINNT\system32\ssim.dll

You could do this also:
Open C:\WINNT\system32
Click View by Type and look for all .dll files that will be this size 233,739 228. They should also have the same dates. Delete only the ones that match the size and date.

Or we can continue doing what we have been.

Edited by LDTate, 11 March 2006 - 08:44 AM.

[devotion]

Ok Where to start???

Last run on KillBox it would not take but 3 files... so I did those & restart. On restart had error message RUNDLL: an exception occured while trying to run C:\WINNT\System32\mexmlr.dll, DllGetversion.

Then Active Desktop Recovery pops up I selected turn off because other option was to restore - did not want to "restore" anything without asking.

Back to the 4th file I tried to run KillBox with just that one file - it will not take it... if past in myself it wants to do the Pending option you said not to do earlier (yes to reboot, no to... Pending). but it wanted to perform this function so I Exit program.

Went to WINN\System 32 to look for dll files # are not 233,739... but I cannot locate the gpjs...dll file.

Follows are logs. Please advise, I will regroup and try to start over. Thanks.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\g6lm0g~1.dll Sat Mar 11 2006 8:11:34a ..S.R 233,875 228.39 K
C:\WINNT\SYSTEM32\j62q0g~1.dll Sat Mar 11 2006 8:47:38a ..S.R 233,739 228.26 K
C:\WINNT\SYSTEM32\mcxmlr.dll Sat Mar 11 2006 8:51:04a ..S.R 233,875 228.39 K
________________________________________________

1,043 items found: 1,043 files (3 H/S), 0 directories.
Total of file sizes: 189,987,012 bytes 181.18 M

Administrator Account = True

--------------------End log---------------------


Logfile of HijackThis v1.99.1
Scan saved at 9:23:51 AM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: MCD - C:\WINNT\system32\g6lm0g31e6.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\gpjsl3171.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[LDTate]

Sorry it's taking so long to kill these.


Click Start
Then Click Run
Type in Services.msc Then Click OK!
Now Scroll Down that Page and look for this entry:

RpcSssvc

When found click on the entry and highlight it.

Now on the left hand side click on the STOP

Next, open HijackThis
Click on: Config
Click on: Misc Tools
Click on: Delete an NT Service
In the prompt: Delete an NT Service copy/paste: RpcSssvc
Press: Enter
Press: OK



Run Hijack This again and put a check by these.

O20 - Winlogon Notify: MCD - C:\WINNT\system32\g6lm0g31e6.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\gpjsl3171.dll (file missing)
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe

Close ALL windows and browsers except HijackThis and click "Fix checked"


Use killbox on these:

C:\WINNT\SYSTEM32\g6lm0g~1.dll
C:\WINNT\SYSTEM32\j62q0g~1.dll
C:\WINNT\SYSTEM32\mcxmlr.dll


Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please do anothe DLL compare scan.

[devotion]

The time does not matter here on this end, I don't want to take too much of yours -- Sorry I have gone stupid on you at the end. There is no RpcSssvc listed only: Fax Service RPC Internet Connection Sharing RPC Locator IPSEC Policy Agent RPC Service Remote Access Auto Connection Manager Remote Access Auto Connection Manager Which one?

[LDTate]

If RpcSssvc isn't listed, just move on and do the rest of the fix.

[devotion]

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\gplol3~1.dll Sat Mar 11 2006 8:53:04a ..S.R 233,875 228.39 K
C:\WINNT\SYSTEM32\j8p0li~1.dll Sat Mar 11 2006 10:25:38a ..S.R 234,953 229.45 K
C:\WINNT\SYSTEM32\uzerenv.dll Sat Mar 11 2006 10:25:40a ..S.R 233,875 228.39 K
________________________________________________

1,043 items found: 1,043 files (3 H/S), 0 directories.
Total of file sizes: 189,988,226 bytes 181.18 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:40:30 AM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: RunOnce - C:\WINNT\system32\gplol3331.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[LDTate]

Let's try something new

• Download FindIt NT-2K-XP.
• Unzip the contents of FindIt NT-2K-XP.zip to a convenient location.
• Navigate to the FindIt NT-2K-XP directory.
• Double-click on FindNarrator.bat and wait for it to run.
• It should open a Notepad window with the FindVX2 log.
• Post the contents of FindNarrator.txt into your next post.

[devotion]

---------------- FindNarrator NT-2K-XP ---------------- Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ***** Operating System ***** Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195) ********* Date/Time ******** Saturday, March 11, 2006 (3/11/2006) 10:50 AM, Central Standard Time *********** Path *********** FindNarrator.bat is running from: C:\Documents and Settings\Jones\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP ---------------- Strings.exe Qoologic Results ---------------- ---------------- Strings.exe Aspack Results ---------------- ---------------- Active Setup Installed Components ---------------- ---------------- Context Menu Handlers ---------------- REGEDIT4 [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers] [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files] @="{750fdf0e-2a26-11d1-a3ea-080036587f03}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With] @="{09799AFB-AD67-11d1-ABCD-00C04FC30936}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu] @="{A470F8CF-A1E8-4f65-8335-227475AA5C46}" [HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip] @="{E0D79300-84BE-11CE-9641-444553540000}" ---------------- Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Synchronization Manager"="mobsync.exe /logon" "SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" ---------------- FindNarrator NT-2K-XP ----------------  ---------------- FindVX2 NT-2K-XP ---------------- Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. ***** Operating System ***** Microsoft Windows 2000 Professional 5.0 Service Pack 4 (Build 2195) ********* Date/Time ******** Saturday, March 11, 2006 (3/11/2006) 11:06 AM, Central Standard Time *********** Path *********** FindVX2.bat is running from: C:\Documents and Settings\Jones\Desktop\FindIt NT-2K-XP\FindIt NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 186D-9AB1 Directory of C:\WINNT\System32 03/11/2006 11:06a <DIR> .. 03/11/2006 11:06a <DIR> . 03/11/2006 10:25a 233,875 UZERENV.DLL 03/11/2006 10:25a 234,953 j8p0li7m18.dll 03/11/2006 08:53a 233,875 gplol3331.dll 03/09/2006 09:14p 8,775 .exe 02/23/2006 10:03a 71,580 lsserv.exe 02/17/2006 07:11a 171,520 lserv.exe 02/04/2006 05:01p <DIR> Lavan 01/14/2006 06:19p <DIR> dllcache 6 File(s) 954,578 bytes 4 Dir(s) 8,184,866,304 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C has no label. Volume Serial Number is 186D-9AB1 Directory of C:\WINNT\System32 03/11/2006 11:06a <DIR> .. 03/11/2006 11:06a <DIR> . 03/09/2006 09:14p 8,775 .exe 02/23/2006 10:03a 71,580 lsserv.exe 02/17/2006 07:11a 171,520 lserv.exe 02/12/2006 02:58p 197,632 mhwwouo.exe 02/04/2006 05:01p <DIR> Lavan 01/14/2006 06:19p <DIR> dllcache 07/22/2004 12:14a <DIR> GroupPolicy 07/21/2004 11:59p 271 desktop.ini 07/21/2004 11:59p 21,692 folder.htt 06/19/2003 01:05p 197,632 spoolsvc.exe 7 File(s) 669,102 bytes 5 Dir(s) 8,184,864,256 bytes free --------------- Files Named "Guard" -------------- Volume in drive C has no label. Volume Serial Number is 186D-9AB1 Directory of C:\WINNT\System32 -------- Temp Files in System32 Directory -------- Volume in drive C has no label. Volume Serial Number is 186D-9AB1 Directory of C:\WINNT\System32 03/11/2006 10:52a 0 DE.tmp 03/11/2006 09:23a 0 DD.tmp 03/11/2006 08:17a 0 DC.tmp 03/11/2006 07:50a 0 DB.tmp 03/10/2006 11:12p 0 DA.tmp 03/10/2006 08:37p 0 D9.tmp 03/10/2006 08:17p 0 D8.tmp 03/10/2006 07:23p 0 D7.tmp 03/10/2006 07:23p 0 D6.tmp 03/10/2006 07:13p 0 D3.tmp 03/10/2006 07:07p 0 D1.tmp 03/10/2006 07:06p 0 CF.tmp 03/10/2006 06:34p 0 CE.tmp 03/10/2006 06:34p 0 CD.tmp 03/10/2006 05:12p 0 D5.tmp 03/10/2006 03:11p 0 C9.tmp 03/10/2006 03:11p 0 C8.tmp 03/10/2006 01:44p 0 C6.tmp 03/10/2006 01:33p 0 C5.tmp 03/10/2006 10:39a 0 CC.tmp 03/10/2006 10:01a 0 CB.tmp 03/10/2006 09:21a 0 C4.tmp 03/09/2006 09:41p 0 C3.tmp 03/09/2006 09:41p 0 C2.tmp 03/09/2006 04:44p 0 C1.tmp 03/09/2006 04:39p 0 C0.tmp 03/09/2006 04:26p 0 BE.tmp 03/09/2006 03:59p 0 BF.tmp 03/09/2006 03:33p 0 BD.tmp 03/09/2006 03:02p 0 BC.tmp 03/09/2006 02:57p 0 BB.tmp 03/09/2006 02:29p 0 BA.tmp 03/09/2006 01:02p 0 1B1.tmp 03/09/2006 01:02p 20,737 1B0.tmp 03/09/2006 12:46p 20,737 190.tmp 03/09/2006 12:37p 20,737 18D.tmp 03/09/2006 12:31p 0 182.tmp 03/09/2006 11:57a 0 17D.tmp 03/09/2006 09:52a 0 D0.tmp 03/09/2006 09:20a 20,737 C7.tmp 03/09/2006 08:54a 20,737 B7.tmp 03/08/2006 06:59p 20,737 CA.tmp 03/08/2006 06:42p 0 B9.tmp 03/08/2006 03:30p 0 B5.tmp 03/08/2006 12:59p 0 EC.tmp 03/08/2006 12:24p 20,737 D4.tmp 03/08/2006 12:07p 0 D2.tmp 03/08/2006 10:00a 20,737 B4.tmp 03/07/2006 07:23p 20,737 B3.tmp 03/07/2006 07:12p 0 AE.tmp 03/07/2006 07:03p 0 AC.tmp 03/07/2006 07:00p 20,737 AB.tmp 03/07/2006 06:52p 20,737 A9.tmp 03/07/2006 04:25p 0 B8.tmp 03/07/2006 04:19p 20,737 B6.tmp 03/07/2006 08:02a 0 B2.tmp 03/07/2006 08:02a 20,737 B0.tmp 03/07/2006 07:29a 0 A8.tmp 03/07/2006 07:20a 20,737 A6.tmp 03/06/2006 08:17p 20,737 A7.tmp 03/06/2006 02:06p 20,737 A5.tmp 03/06/2006 12:17p 20,737 A3.tmp 03/05/2006 05:13p 20,737 A2.tmp 03/05/2006 11:36a 20,737 A1.tmp 03/05/2006 08:39a 20,737 9E.tmp 03/04/2006 08:29p 20,737 99.tmp 03/04/2006 03:29p 20,737 B1.tmp 03/04/2006 03:16p 20,737 AF.tmp 03/04/2006 02:43p 20,737 AD.tmp 03/04/2006 11:50a 20,737 AA.tmp 03/04/2006 11:18a 20,737 A4.tmp 03/04/2006 09:51a 20,737 9D.tmp 03/04/2006 07:37a 20,737 98.tmp 03/04/2006 06:37a 20,737 97.tmp 03/03/2006 08:04p 20,737 9C.tmp 03/03/2006 01:14p 20,737 96.tmp 03/03/2006 12:04p 20,737 95.tmp 03/03/2006 10:46a 20,737 94.tmp 03/03/2006 08:37a 20,737 93.tmp 03/02/2006 08:39p 20,737 91.tmp 03/02/2006 10:10a 20,737 90.tmp 03/01/2006 06:52p 20,737 A0.tmp 03/01/2006 03:51p 20,737 9F.tmp 03/01/2006 12:34p 20,737 92.tmp 03/01/2006 11:28a 20,737 8F.tmp 03/01/2006 10:45a 20,737 8E.tmp 03/01/2006 08:34a 20,737 8D.tmp 02/28/2006 08:05p 20,737 8C.tmp 02/28/2006 04:25p 20,737 8B.tmp 02/28/2006 02:18p 20,737 89.tmp 02/28/2006 01:07p 20,737 88.tmp 02/28/2006 12:24p 20,737 9B.tmp 02/28/2006 10:21a 20,737 9A.tmp 02/28/2006 09:08a 20,737 84.tmp 02/26/2006 05:57p 20,737 83.tmp 02/26/2006 04:58p 20,737 82.tmp 02/26/2006 04:41p 20,737 7C.tmp 02/26/2006 01:24p 20,737 7B.tmp 02/26/2006 09:27a 20,737 79.tmp 02/24/2006 02:07p 20,869 78.tmp 02/24/2006 01:44p 20,869 87.tmp 02/24/2006 12:13p 20,869 86.tmp 02/24/2006 10:31a 20,869 85.tmp 02/24/2006 07:17a 20,869 81.tmp 02/23/2006 09:09p 20,505 80.tmp 02/23/2006 08:10p 20,505 7F.tmp 02/23/2006 04:36p 20,505 7E.tmp 02/23/2006 02:38p 20,505 7A.tmp 02/23/2006 12:43p 20,505 77.tmp 02/23/2006 09:53a 20,505 76.tmp 02/23/2006 09:40a 20,505 75.tmp 02/22/2006 08:24p 20,505 74.tmp 02/22/2006 08:01a 20,505 73.tmp 02/21/2006 09:12p 20,505 6E.tmp 02/21/2006 08:52p 20,505 6D.tmp 02/21/2006 01:35p 20,505 6C.tmp 02/20/2006 10:42a 20,505 6B.tmp 02/19/2006 05:07p 19,401 8A.tmp 02/19/2006 12:19p 19,401 7D.tmp 02/19/2006 11:17a 19,401 6A.tmp 02/18/2006 07:40p 19,401 65.tmp 02/18/2006 06:57a 19,401 64.tmp 02/17/2006 08:00p 19,401 69.tmp 02/17/2006 11:09a 19,401 68.tmp 02/17/2006 09:41a 19,401 63.tmp 02/17/2006 07:53a 19,401 62.tmp 02/17/2006 07:07a 19,401 61.tmp 02/16/2006 12:53p 19,401 67.tmp 02/16/2006 11:03a 19,401 66.tmp 02/16/2006 09:13a 19,401 60.tmp 02/16/2006 07:32a 19,401 5E.tmp 02/16/2006 06:46a 19,401 5D.tmp 02/15/2006 06:54p 19,401 5F.tmp 02/15/2006 05:11p 19,401 5C.tmp 02/15/2006 03:31p 19,401 5B.tmp 02/15/2006 11:18a 19,401 5A.tmp 02/15/2006 09:54a 19,401 58.tmp 02/15/2006 07:57a 19,401 4C.tmp 02/14/2006 09:54p 19,401 57.tmp 02/14/2006 08:41p 19,401 56.tmp 02/14/2006 08:13p 19,401 55.tmp 02/14/2006 04:51p 19,401 52.tmp 02/14/2006 02:42p 19,401 4B.tmp 02/14/2006 12:24p 19,401 4A.tmp 02/14/2006 11:28a 19,401 44.tmp 02/13/2006 08:43p 19,401 72.tmp 02/13/2006 07:50p 19,401 71.tmp 02/13/2006 06:09p 19,401 70.tmp 02/13/2006 12:35p 19,401 6F.tmp 02/13/2006 11:32a 19,401 59.tmp 02/13/2006 10:33a 19,401 54.tmp 02/13/2006 10:00a 19,401 53.tmp 02/13/2006 09:51a 19,401 51.tmp 02/13/2006 08:08a 19,401 50.tmp 02/13/2006 07:29a 19,401 4F.tmp 02/13/2006 07:19a 19,401 4E.tmp 02/12/2006 07:53p 19,401 4D.tmp 02/12/2006 03:54p 19,401 48.tmp 02/12/2006 02:39p 19,401 43.tmp 02/12/2006 11:30a 19,401 42.tmp 02/11/2006 05:42p 19,401 41.tmp 02/11/2006 12:28p 19,401 40.tmp 02/10/2006 07:41p 0 3F.tmp 02/10/2006 10:28a 19,401 45.tmp 02/10/2006 08:37a 19,401 3D.tmp 02/09/2006 08:05p 19,401 3E.tmp 02/09/2006 07:37p 19,401 3C.tmp 02/09/2006 05:01p 19,401 3B.tmp 02/09/2006 10:13a 19,401 3A.tmp 02/09/2006 10:13a 8,708 39.tmp 02/08/2006 08:31p 19,401 49.tmp 02/08/2006 03:25p 19,401 47.tmp 02/08/2006 03:25p 19,401 46.tmp 02/08/2006 02:01p 19,401 38.tmp 02/08/2006 01:55p 19,401 37.tmp 02/08/2006 11:51a 19,401 36.tmp 02/08/2006 11:50a 19,401 35.tmp 02/08/2006 08:17a 19,401 34.tmp 02/08/2006 08:17a 19,401 33.tmp 02/07/2006 08:05p 19,401 32.tmp 02/07/2006 08:05p 19,401 31.tmp 02/07/2006 01:43p 19,401 30.tmp 02/07/2006 01:31p 19,401 2F.tmp 02/07/2006 12:51p 19,401 2E.tmp 02/07/2006 12:48p 19,401 2D.tmp 02/07/2006 12:48p 19,401 2C.tmp 02/07/2006 11:25a 19,401 2B.tmp 02/07/2006 11:24a 19,401 2A.tmp 02/07/2006 06:59a 19,401 27.tmp 02/07/2006 06:54a 19,401 26.tmp 02/06/2006 08:48p 19,401 25.tmp 02/06/2006 08:48p 19,401 1D.tmp 02/06/2006 01:28p 19,401 29.tmp 02/06/2006 01:27p 19,401 28.tmp 02/06/2006 01:03p 19,401 24.tmp 02/06/2006 12:58p 19,401 23.tmp 02/06/2006 12:47p 19,401 22.tmp 02/06/2006 12:46p 19,401 21.tmp 02/06/2006 12:10p 19,401 20.tmp 02/06/2006 12:10p 19,401 1F.tmp 02/06/2006 08:54a 19,401 1E.tmp 02/06/2006 07:33a 19,401 1C.tmp 02/06/2006 07:28a 19,401 19.tmp 02/05/2006 08:20p 19,401 18.tmp 02/05/2006 08:15p 19,401 17.tmp 02/05/2006 03:38p 19,401 16.tmp 02/05/2006 02:44p 19,401 15.tmp 02/05/2006 02:39p 19,401 14.tmp 02/05/2006 12:42p 19,401 12.tmp 02/05/2006 12:42p 19,401 11.tmp 02/04/2006 09:17p 19,401 13.tmp 02/04/2006 08:52p 19,401 F.tmp 02/04/2006 08:52p 19,401 E.tmp 02/04/2006 09:44a 0 D.tmp 01/27/2006 01:39p 0 1B.tmp 01/27/2006 01:38p 0 1A.tmp 01/18/2006 07:59a 150,528 C.tmp 01/17/2006 09:41p 150,528 B.tmp 01/17/2006 07:32p 150,528 10.tmp 01/17/2006 07:38a 2,529 A.tmp 01/16/2006 02:15p 150,528 9.tmp 01/16/2006 08:54a 0 8.tmp 01/16/2006 06:45a 150,528 7.tmp 01/16/2006 05:38a 150,528 6.tmp 01/15/2006 03:52p 150,528 5.tmp 01/15/2006 02:20p 150,528 3.tmp 01/15/2006 01:47p 150,528 2.tmp 01/15/2006 10:17a 150,528 1.tmp 01/15/2006 08:07a 0 4.tmp 12/07/1999 12:00a 2,577 CONFIG.TMP 230 File(s) 4,833,496 bytes 0 Dir(s) 8,184,846,848 bytes free ------------------- User Agent ------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{45B5A98C-115C-CB49-15FD-F7FAFBEB1572}"="" --------------- Keys Under Notify ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce] "Asynchronous"=dword:00000000 "DllName"="C:\\WINNT\\system32\\gplol3331.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] "DLLName"="wzcdlg.dll" "Logon"="WZCEventLogon" "Logoff"="WZCEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000000 ------------ Shell Extensions Approved ----------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{A7B10217-897B-4C21-9558-C59F4CD71664}"="" "{C8E7E460-060A-403A-A447-3F051D010518}"="" "{259B12F3-BC61-473A-B964-CB8266816CC7}"="" "{B1ED9866-5642-4556-BCE0-1A76E244D5B5}"="" "{28A41ED3-1360-4CB7-9AEF-AB81FF06DF29}"="" --------------- Locate.com Results --------------- C:\WINNT\SYSTEM32\ exe~1 Thu Mar 9 2006 9:14:36p A.SH. 8,775 8.57 K gplol3~1.dll Sat Mar 11 2006 8:53:04a ..S.R 233,875 228.39 K j8p0li~1.dll Sat Mar 11 2006 10:25:38a ..S.R 234,953 229.45 K lserv.exe Fri Feb 17 2006 7:11:26a ..SHR 171,520 167.50 K lsserv.exe Thu Feb 23 2006 10:03:08a ..SHR 71,580 69.90 K mhwwouo.exe Sun Feb 12 2006 2:58:56p A..H. 197,632 193.00 K uzerenv.dll Sat Mar 11 2006 10:25:40a ..S.R 233,875 228.39 K 7 items found: 7 files, 0 directories. Total of file sizes: 1,152,210 bytes 1.10 M ---------------- FindVX2 NT-2K-XP ---------------- 

[devotion]

Things are changing on my desktop... the internet icon is now a page with windows logo on it. What am I doing wrong?

[LDTate]

Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.


When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINNT\System32\UZERENV.DLL
C:\WINNT\System32\8,775 .exe
C:\WINNT\System32\j8p0li7m18.dll
C:\WINNT\System32\gplol3331.dll
C:\WINNT\System32\lsserv.exe
C:\WINNT\System32\lserv.exe
C:\WINNT\System32\mhwwouo.exe
C:\WINNT\System32\*.tmp


Return to Killbox, go to the File menu and select Paste from Clipboard.


Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually

[devotion]

Logfile of HijackThis v1.99.1
Scan saved at 11:50:57 AM, on 3/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jones\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by107fd.bay10...31ab5efb4c305c1
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O20 - Winlogon Notify: Explorer - C:\WINNT\system32\j8p0li7m18.dll (file missing)
O20 - Winlogon Notify: ICM - C:\WINNT\system32\guard.tmp
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Procedure Call (RPC) Service (RpcSssvc) - Unknown owner - C:\WINNT\system32\RpcSs.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\wzpcd.dll Sat Mar 11 2006 11:40:14a ..S.R 233,875 228.39 K
________________________________________________

1,041 items found: 1,041 files (1 H/S), 0 directories.
Total of file sizes: 189,519,398 bytes 180.74 M

Administrator Account = True

--------------------End log---------------------

[LDTate]

Beleive it or not, it's looking better.


Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop RpcSssvc
sc delete RpcSssvc
del delete.bat

Save the file as "delete.bat" to your desktop. Make sure to save it with the quotes.
Double click on it.

If you receive any errors, just continue the fix.

Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.


When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINNT\SYSTEM32\wzpcd.dll
C:\WINNT\system32\j8p0li7m18.dll
C:\WINNT\system32\guard.tmp

Return to Killbox, go to the File menu and select Paste from Clipboard.


Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually

[devotion]

Ok with first instructions RE: Killbox did the same as always however when press X to delete and reboot a box pops up: PendingFileRenameOperationsRegistryData has been removed by external Process! If I "X" the box and try again to delete and reboot it pops up again If I "X" OK it starts the count down and returns to starting point Long - short Killbox will not delete and reboot as it has all day ??

[LDTate]

That's ok. Reboot and run the DLL compare and post a new HJT log.