OK this is on my uncle's laptop, and he has been having trouble for months now. I have ran AVG anti virus and Ad-aware as well as Spybot search and destroy many times and it seems to clean everything off but yet the same pop ups keep coming back. When I am booted normal and try to remove some of the Hosts 69.x.x.x auto search gets an error for permission denied. Im curious what all the Winsock ones are as well.

Here is the log file

Logfile of HijackThis v1.99.0
Scan saved at 2:01:11 PM, on 12/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\All Users.WINNTOLD\Start Menu\Programs\Startup\kuyttk.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\system32\installer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

non of the proccess seem out of place.... but what is cc manager?

non of the proccess seem out of place.... but what is cc manager?

Not sure but when I ran the online virus scan it found 5 things and got rid of all but one of them that said it was in use...

TROJ NARRATOR.A Can not access C:\WINNTOLD\System32\lygool.dll

Anyone know the best way to get rif of at least this trojan? Maybe safe boot?

After running Spybot S&D it found about 15 item's and a few it could not fix because of this message "Date:''C:\WINNTOLD\System32\drivers\etc\hosts" kann nicht erstellt warden. The process cannot access another file because it is being used by another process"..Some of the things it could not remove were CoolWWWsearch.Bootconf and CoolWWWsearch.Svchost32

I then proceeded to run it in safe boot and it did not find but two items and it says it fixed them.

I then downloaded CWShredder and it says it find's and removes these two item's but they keep coming back everytime I rescan and if I uncheck the send to recycle bin and just delete them it says I need to restart CWShredder because it encountered errors.

I am going to post another Hijack this log later.

Ok I went ahead and followed the advice I saw in some previous threads on this subject. Keep in mind I have already ran SB S&D, Adaware SE, Hijackthis, CWShredder, and Webroot spysweeper over 10 times each in the past two weeks yet the same pop up's etc. keep coming back :cry: ... On a sidenote. everytime I restart theres 3 icons that will appear on the desktop ( Online dating, Holiday travel, and free online music)... As well as the same damn IE windows that open up to the same page. Ad-w-a-r-e.com and Inqwire.com etc..

1. I configured Adaware SE for the setting's recommended and performed a full system scan which found 49 critical objects and then I got a message that says "Some objects could not be removed, Try closing all open browser windows prior to the removal. If this does not help reboot and run adaware again. C:\WINNTOLD\system32\irjol5131.dll"

2. I ran SB S&D and it find's (CoolWWWSearch.tapicfg, CWS.Bootconf, CWS.Loadbat, CWS.msconfd, CWS.oslogo, and CWS.xmlmimefilter) as well as Igetnet which these things which seem to keep coming back no matter how many times I run SB S&D, sometimes it gives me a error saying it needs to attempt to repair these things on next reboot because the process is already running and access is denied etc..

3. I rebooted into safe mode and deleted all of the files in all of the temp folders, and emptied the recycle bin. (I made sure I deleted all temp files as I even did a search for *.tmp, and also got the C:\Windows\Temp folder and DocSettings\Thom\Localsetting\temp)

4. Ran Adaware again - (While running IE opened up with some crap advertisment http://inqwire.com/homepage), and an online casino pop up, that was generated from a tmp file that appeared on the screen. Anyway this time it found 95 critical objects!!! more then the last time! (Alot of VX2's, CoolWebSearch's, and Redirects located in the Doc Settings/Favorites folder , along with the 69.20.16.183 host file's which say auto.search.msn.com and ieautosearch.com and search.netscape.com. When I tried to remove all objects this time it says the same thing as last time except it says these files C:\WINNTOLD\system32\ktn4175q1.dll, and C:\WINNTOLD\system32\guard.tmp

As far as it saying where these VX2 files are located it's showing C:\WINNTOLD\system32\(ktn4175q1.dll, iozbbi.dll, viyrrv.exe, iozbbi.dll, and guard.tmp)

5. Ran SB S&D again - CoolWWWsearch.oslogo, CWS.Bootconf, CWS.Loadbat, CWS.Msconfd, CWS.XmImimefiler and CWS.Tapicfg with 1 entry each which are all redirected host's, along with the Igetnet, and common Hijacker, but NOW we have even more entry's such as Network Essentials.WindowsEnhancer( All registry keys) with 13 entry's and Network Essentials.Search-Exe(C:\Program Files\se\v11\se.DLL and se.exe) with 7 entries, and now even Virtual Bouncer( C:\Program Files\VBOUNCER\, and C:\Documents and settings\Thom\Start menu\Programs\Virtual bouncer, aloong with 5 reg keys.) came back with 6 entries. When cleaning it says "some problems couldnt be fixed the reason could be that the associated files are still in use (in memory) this could be fixed after a restart blah blah blah sure" 26 problems fixed... 18 could not be fixed..


6. Ran Hijack this and attempted to fix some things which says it cannot fix (O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll) etc.. because it needs to be done with a program like LSPFix, which I then downloaded and fixed the registry so they seem to be gone from the Hijackthis log now. Also these 4 things seem to come back into the Hijack log every single time no matter what I do

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Some things I notice that sometimes run's in the task manager is something called drwtsn.exe which I have seen a fatal error message come up one the screen about it before when running Adaware. I will post a new Hijack log soon as I am done running other diagnostics on it. Anyway it's late and it seems the more I try the worse it get's and the more it comes back. Seems like after rebooting in safe mode and getting rid of all the temp files is when it really started to show more things in Spybot and Adaware... Im lost if anyone has any idea what has got to this machine please help.

Before posting another HJT log, try running all your scans while in Safe Mode. Then reboot into Normal Mode, close all browser windows, scan with HJT, and post a new log.

Before posting another HJT log, try running all your scans while in Safe Mode. Then reboot into Normal Mode, close all browser windows, scan with HJT, and post a new log.

Doesn't seem to find much with Spybot S&D Adaware or Hijack this when in safe boot... So I don't know what that can accomplish.. But I will do what you say.

Ok I enabled all services and startup items after running all apps in safe boot. Here is the log... But again let me remind you this log changes everytime I run one of the spyware cleaners.

Logfile of HijackThis v1.99.0
Scan saved at 2:52:25 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNTOLD\System32\svchost.exe
C:\Documents and Settings\All Users.WINNTOLD\Start Menu\Programs\Startup\kuyttk.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\winntold\system32\kalvgva32.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\CACHEMAN\Cacheman.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNTOLD\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
O23 - Service: NICSer_WPC54G - Unknown - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I just noticed when looking at this log that iexplorer.exe is a running process yet there were no browser window's open... I think this problem is deep and I can't find it.

Be sure all browser windows are closed before fixing anything with HJT (I've seen users before that said their log showed it when no windows were open -- not sure what causes this, but just make sure they're all closed). Scan with HJT and have it fix the following entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
(More info herehttp://www.liutilities.com/products/wintaskspro/processlibrary/WToolsA/)
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
(More info here http://computercops.biz/startuplist-6561.html)
O4 - HKLM\..\Run: [kalvsys] C:\winntold\system32\kalvgva32.exe
O4 - HKLM\..\Run: [abu] abu.exe

Go to Start, point to Programs, point to Startup, delete kuyttk, if it's there.

Reboot into Safe Mode

Do a search for WToolsA.exe, and delete it, if found
Do a search for SStb.exe, and delete it, if found
Do a search for abu.exe, and delete it, if found
Go to C:\winntold\system32 and delete kalvgva32.exe, if found

Reboot normally, close all browser windows, scan with HJT, and post a new log please.

Some info on Cacheman.exe:
http://startup.iamnotageek.com/srch-Cacheman.exe.html

OK will do that now, while I was browsing around in these forums I sae a thread and decided to create a log file for vxfinder.exe and dllcompare.exe... I really think my registry is infected.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNTOLD\SYSTEM32\uleg.dll Thu Dec 23 2004 2:32:48p ..S.R 224,283 219.02 K
C:\WINNTOLD\SYSTEM32\sxorprop.dll Thu Dec 23 2004 12:43:24p ..S.R 226,060 220.76 K
C:\WINNTOLD\SYSTEM32\dhsbase.dll Thu Dec 23 2004 1:41:18p ..S.R 222,523 217.30 K
C:\WINNTOLD\SYSTEM32\mwprivs.dll Wed Dec 29 2004 3:54:08a ..S.R 222,920 217.70 K
C:\WINNTOLD\SYSTEM32\kcdda.dll Wed Dec 29 2004 12:49:30a ..S.R 222,920 217.70 K
C:\WINNTOLD\SYSTEM32\q4psle~1.dll Mon Dec 20 2004 11:35:18a ..S.R 224,128 218.88 K
C:\WINNTOLD\SYSTEM32\gpnml3~1.dll Wed Dec 15 2004 7:35:32a ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\mrxlegih.dll Mon Dec 20 2004 1:07:18p ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll Wed Dec 15 2004 7:36:10p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll Wed Dec 22 2004 9:32:06a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll Mon Dec 20 2004 5:05:10p ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\hr8405~1.dll Wed Dec 22 2004 10:07:34a ..S.R 222,450 217.23 K
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll Thu Dec 23 2004 6:05:54p ..S.R 226,008 220.71 K
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll Tue Dec 28 2004 4:09:02p ..S.R 224,283 219.02 K
C:\WINNTOLD\SYSTEM32\fp2403~1.dll Wed Dec 29 2004 3:54:06a ..S.R 223,343 218.11 K
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll Wed Dec 22 2004 9:41:58a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll Tue Dec 28 2004 4:41:16p ..S.R 224,701 219.43 K
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll Tue Dec 28 2004 6:36:14p ..S.R 225,600 220.31 K
C:\WINNTOLD\SYSTEM32\c2000c~1.dll Wed Dec 22 2004 10:29:36a ..S.R 225,982 220.68 K
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll Tue Dec 14 2004 9:36:48p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll Tue Dec 14 2004 5:31:56p ..S.R 224,826 219.55 K
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll Tue Dec 28 2004 7:22:46p ..S.R 225,035 219.76 K
C:\WINNTOLD\SYSTEM32\jtno07~1.dll Thu Dec 9 2004 8:10:58p ..S.R 223,589 218.35 K
C:\WINNTOLD\SYSTEM32\m0jula~1.dll Fri Dec 17 2004 5:45:14p ..S.R 225,655 220.36 K
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll Wed Dec 15 2004 6:29:18p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll Wed Dec 15 2004 7:51:26a ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\dn6001~1.dll Mon Dec 20 2004 11:04:44a ..S.R 225,414 220.13 K
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll Sat Dec 18 2004 7:42:42p ..S.R 224,295 219.04 K
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll Tue Dec 28 2004 6:49:04p ..S.R 225,676 220.39 K
C:\WINNTOLD\SYSTEM32\k826li~1.dll Mon Dec 20 2004 12:38:14p ..S.R 223,022 217.79 K
C:\WINNTOLD\SYSTEM32\lvr209~1.dll Mon Dec 20 2004 1:07:14p ..S.R 226,279 220.97 K
C:\WINNTOLD\SYSTEM32\en88l1~1.dll Thu Dec 23 2004 8:47:22a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll Tue Dec 28 2004 7:03:28p ..S.R 223,226 217.99 K
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll Tue Dec 28 2004 7:36:08p ..S.R 226,006 220.71 K
C:\WINNTOLD\SYSTEM32\s2880c~1.dll Wed Dec 29 2004 3:08:44a ..S.R 222,920 217.70 K
________________________________________________

1,889 items found: 1,889 files (35 H/S), 0 directories.
Total of file sizes: 328,177,531 bytes 312.97 M

Administrator Account = True

--------------------End log---------------------

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---
{DAA3E4A0-5393-4F08-A055-D63C309DCC7B}

Check this new log out after simply changing msconfig back to selective startup with not so many services and startup items.. Even more things appear and most of the stuff in the Hijack log you told me to clean isn't even there anymore w/o a normal boot from msconfig

Logfile of HijackThis v1.99.0
Scan saved at 4:32:52 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\installer.exe
C:\WINNTOLD\system32\viyrrv.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNTOLD\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe

Go to Start, point to Programs, point to Startup, delete kuyttk, if it's there.

Reboot into Safe Mode

Do a search for WToolsA.exe, and delete it, if found
Do a search for SStb.exe, and delete it, if found
Do a search for abu.exe, and delete it, if found
Go to C:\winntold\system32 and delete kalvgva32.exe, if found

When booted into safe mode the only one of these files I could successfully find was SStb.exe ....Did not find any of the other files doing a search or in the winntold\system32 folder.

Did you fix the things I suggested? You'll have to wait for one of the mods to look at the rest because it appears to be beyond my capability (for now...)

Hi. First up we need to get rid of some crap before having a go at VX2.

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Go to c:\winntold\system32 and delete that file manually. What's with the WINNTold?

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=

O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H

Reboot and delete the C:\Program Files\se<----folder. May have to boot into safe mode if it will not go.

Post back another log when done.

Do you have the killbox? If not, download it here=
http://www.downloads.subratam.org/KillBox.exe

Hi. First up we need to get rid of some crap before having a go at VX2.

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

I have already fixed those files with LSPfix numerous times and they keep coming back


I have checked and removed these same things over and over and over along with the se.exe as well as removing it in safe mode and it keeps coming back as well...

Post back another log when done.

Do you have the killbox? If not, download it here=
http://www.downloads.subratam.org/KillBox.exe

Yes I recently downloaded killbox, but am having trouble trying to find the files that need to be killed. Because everything seems to disappear and reappear when it wants.


PS... This is getting frustrating.. trust me I have been on here all day reading through all the posts in this forum trying to find something but nothing is working.

Here's a new log.. But at this point it means the same exact thing to me, because as soon as I run SB S&D or Adaware everything will be back and when I run Hijack this it will have tons of things in there again.


Logfile of HijackThis v1.99.0
Scan saved at 5:25:32 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNTOLD\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe


Viyrrv.exe worry's me and I tried to kill it with killbot.exe in safeboot and it was not able to remove it. I know even though it seems like this log is pretty clean I still keep getting the same pop ups over and over as well as the same 3 icons on my desktop everytime the computer is rebooted. Also I notice that I keep deleting that SE folder along with a few others from my program files folder but it keeps reappearing.

Thanks for the help so far guys you are great.. I just need some powerfull suggestions now.

It is important that you only follow the instructions given. If not, all the infected files will morph and we will be back at the start point again.

Apart from that one file, the log looks ok. Now, please post a log from VX2Finder, dllcompare and Find_it. Do not reboot!

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

It is important that you only follow the instructions given. If not, all the infected files will morph and we will be back at the start point again.

Apart from that one file, the log looks ok. Now, please post a log from VX2Finder, dllcompare and Find_it. Do not reboot!

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Working on it now, sorry for the delay I had to get some sleep I was up for 24 hours straight.

Working on it now, sorry for the delay I had to get some sleep I was up for 24 hours straight.

When I am running find.bat it never seems to generate a log file...

Nevers seems to finish.... I dont know whats wrong.

While running it a IE window opens with a Active X error and loads some page, and also I saw a "winlogon.exe has generated errors and will be closed by windows" error box. (which I have seen this message before)

Can I run these apps in safe mode and save the log files? Or is that pointless?

After running find it for about 30 min after disconnecting internet connection it says "The system cannot find the path specified"

I went ahead and Downloaded Trojan remover from simplyup.com, and it found something called C:\WINNTOLD\system32\lzpwwl.exe and it says win reg attempts to load this on boot, and it says its Adaware.Qoolaid. Also while running it I got the winlogon.exe has to be restarted again error message and the computer automatically rebooted.....

I went ahead and opened killbot and deleted that file which seemed to have been successfull, but I am worried that if its in the registry its going to come back on reboot..

It comes back, and I even went into the registry and deleted the key in which it says it resided in.

Everytime I run adaware it comes up with a VX2 which it says is located in C:\WINNTOLD\system32\guard.tmp, I have tried to remove this numerous times with killbot and it does not work. It found 200+ critical items this time about half reg keys and values. Other VX2 things that came up in Adaware said its in C:\WINNTOLD\system32\iozbbi.dll, guard.tmp, viyrv.dll, ktn4175q1.dll etc...


I then ran SB S&D again and its finding the same exact CWS.Bootconf.Oslogo,Loadbat, tapicfg, etc.... which are all redirected hosts for auto.search.msn.com=69.20.16.183

You are infected with the latest VX2 variant, which is extremely nasty and persitent. As crunchie already mentioned- do not do anything that we don't suggest, and do what we do suggest exactly, and in the exact order given! As you've already found out, the infected files will both morph and multiply if you don't follow instructions to the letter.

Do not try to keep throwing Ad Aware and SpyBot at this problem; they are not capable of fixing this particular infection and will only magnify the problem.

As crunchie asked before: why is your %systemroot% directory named "C:\WINNTOLD"?! That is not the normal name of the root system directory for any version of Windows. Can you give us any elightening info on that?

You are infected with the latest VX2 variant, which is extremely nasty and persitent. As crunchie already mentioned- do not do anything that we don't suggest, and do what we do suggest exactly, and in the exact order given! As you've already found out, the infected files will both morph and multiply if you don't follow instructions to the letter.

Do not try to keep throwing Ad Aware and SpyBot at this problem; they are not capable of fixing this particular infection and will only magnify the problem.

As crunchie asked before: why is your %systemroot% directory named "C:\WINNTOLD"?! That is not the normal name of the root system directory for any version of Windows. Can you give us any elightening info on that?

I think it's WINNTOLD because windows 2000 professional was reinstalled overtop the previous OS? It's my uncles computer so I am not sure.... So do you know what the best way to tackle this is? When I tried to run Findit, it never creates a log for me.

So I tried to follow the previous instructions but indeed it failed as everything else has.... When running find it, it never finished so no log to post. Should I just post the VX2 and DLL log?

Can you reboot first, then post a VX2Finder log, a dllcompare log and open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.

Do you have the latest version of killbox? If not go here;

http://www.downloads.subratam.org/KillBox.exe

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Can you reboot first, then post a VX2Finder log, a dllcompare log and open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.

Do you have the latest version of killbox? If not go here;

http://www.downloads.subratam.org/KillBox.exe

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Ok I am working on it, computer rebooted itself two times in the process of trying to do this because of winlogon.exe needing to restart.... Almost have all the logs saved and ready to post. Yes I believe I have the most recent version of killbox.exe

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.