Another 69.20.16.183 problem

Re: That old (new) 69.20.16.183

You need to post in your own thread. I'm moving you from:

http://forums.majorgeeks.com/showthread.php?t=51523

to your own thread.

 

Re: That old (new) 69.20.16.183

Using the other thread instructions as a model. The file list you need to delete with Killbox is:

Directory of C:\WINNT\System32\
01/07/2005 03:28p 224,431 fpl0033me.dll
01/07/2005 03:05p 224,431 l0n4la5q1d.dll
01/07/2005 02:50p 224,431 c800lidm180a.dll
01/07/2005 02:45p 224,431 irrol5931.dll
01/07/2005 12:20p 224,605 mv4ql9h51.dll
01/05/2005 01:55p 225,151 ozslb400.dll
01/05/2005 12:56p 222,781 r0p8la7u1d.dll
01/05/2005 11:49a 223,907 f62mlgf1162.dll
01/04/2005 05:09p 224,297 ir8sl5l71.dll
01/04/2005 04:26p 224,834 jtlq0735e.dll
01/04/2005 03:47p 225,286 lv8u09l9e.dll
01/04/2005 03:24p 224,297 isetcplc.dll
01/04/2005 03:24p 226,061 p46slej71ho.dll
01/04/2005 09:48a 224,279 fp4u03h9e.dll
01/07/2005 03:59p 224,431 guard.tmp <---- after this one you reboot and post a new find.bat log.

 

Look in the c:\winnt\system32 folder (using Windows Explorer). Do you see the guard.tmp file?

 

If guard.tmp is gone, do the below:

Run Pocket KillBox and Copy and Paste the Following into the box: C:\RECYCLER\Desktop.ini - Click Red X to delete it using Standard File Kill.

Now run VX2Finder and Click on the "Find Vx2.Betterinternet" button.

Then click on these buttons in the right pane unless they are "greyed" out:

- UserAgent$ Button to remove the UserAgent from the registry
- Guardian.reg
- Restore Policy

Exit and reboot.

Using START > RUN > regedit, please open the registry editor and navigate to the following:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellCompatibility

Backup this key by clicking File, Export and then enter a File name and save it somewhere you can find it (if needed). Do the Export before doing the following:
RightClick on the above registry key (the ShellCompatibility one - make sure the bottom of the regedit window shows the full reg key as shown above in bold) and select DELETE.

NEXT: Run find.bat (Generic Detection Tool) and attach that Log and a fresh HJT Log

 

It could have! Always follow steps exactly, if you had removed those HJT lines and we had not gotton all the other hidden files deleted, you would be starting all over again. Now I will need you to reboot and tell me if any of the problems came back. I think we were far enough along where you should be okay.

Remember exit browsers before using HJT. This is a browser:

C:\Program Files\Mozilla Firefox\firefox.exe

So exit all browsers and have HJT fix these two lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm


I assume in the below lines that affinitytect.com is something you recognize? And what about the two IP addresses (65.106.1.196,65.106.7.196)?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = affinitytech.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8C092D-0AFC-4D3C-A4EC-163BBD59E4AF}: Domain = affinitytech.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8C092D-0AFC-4D3C-A4EC-163BBD59E4AF}: NameServer = 65.106.1.196,65.106.7.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = affinitytech.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = affinitytech.com

Here is some info on those IP address. Do you recognize this?
dns1-access.svc.us.xo.net = [ 65.106.1.196 ] and [ 65.106.7.196 ]
Registrant:
XO Communications Inc XO56-DOM
1400 Parkmoor Avenue
San Jose CA 95126-3429
US
Domain Name: XO.NET
Administrative Contact:
XO Communications Inc. noc@ENG.XO.COM
1400 PARKMOOR AVE
SAN JOSE CA 95126-3429
US
408-817-2800 fax: 408-817-2630
Technical Contact:
Concentric Network Corporation hostmaster@CONCENTRIC.NET

 

You're welcome.

Check this out now: How to Protect yourself from malware!