Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newgenlook.info


  • Please log in to reply
10 replies to this topic

#1 populicidal

populicidal

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 10 May 2005 - 06:52 PM

I'm having trouble with the newgenlook.info trojan spyware...thing. It spawns a bunch of links I don't want on my desktop. And it also randomly loads a website in my browser window. Not to mention the red x thing in my tray.

And of course that's my Hijack thing.


Logfile of HijackThis v1.99.1
Scan saved at 6:50:20 PM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\Neo\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tkeag.dll/sp.html#21044
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [sysos32.exe] C:\WINDOWS\sysos32.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crer32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 10 May 2005 - 11:07 PM

Download cwshredder 2.12 from here:

http://cwshredder.net/bin/CWShredder.exe

Run the file after it is downloaded and click on the fix button. Let it do its thing and when its done, even if it crashes.

When its done run hijackthis again post a new log

#3 populicidal

populicidal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 11 May 2005 - 04:29 PM

CWS didn't find anything. But it did change two of my IE startpages.




Logfile of HijackThis v1.99.1
Scan saved at 4:27:06 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Administrator\Desktop\Neo\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [sysos32.exe] C:\WINDOWS\sysos32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crer32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 11 May 2005 - 04:38 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [sysos32.exe] C:\WINDOWS\sysos32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crer32.exe (file missing)

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\sysos32.exe
C:\WINDOWS\system32\crer32.exe

Reboot your computer to go back to normal mode.

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section.

Right click on 11F#`I and delete it.

Reboot and post a last log.

#5 populicidal

populicidal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 11 May 2005 - 05:13 PM

Yeah um..I don't think anything I just did helped. Thos two files didn't exist, but while looking for them I saw the icons of the links on my desktop in the WINDOW folder.




Logfile of HijackThis v1.99.1
Scan saved at 5:10:08 PM, on 5/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\Neo\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 populicidal

populicidal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 12 May 2005 - 03:56 PM

Yeah uh...Still not working.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 12 May 2005 - 04:05 PM

Reboot into safe mode.

Fix this line:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/


Reboot and post a new log

#8 populicidal

populicidal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 12 May 2005 - 04:53 PM

That one darn thing just won't fix. And it even tried to open the webpage in safe mode. And the red circle x thing was there in safe mode.. It's starting to look hopeless.




Logfile of HijackThis v1.99.1
Scan saved at 4:50:45 PM, on 5/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Documents and Settings\Administrator\Desktop\Neo\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 12 May 2005 - 09:51 PM

Download http://www.bleepingcomputer.com/files/grinler/pfind-new.zip


Extract pfind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.

#10 populicidal

populicidal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 13 May 2005 - 04:26 PM

Well, there it is. And btw, thanks for your help.





Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder

C:\ml00!.exe: FSG!


Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\ca4rlo.sys: PEC2
C:\WINDOWS\ca4rlo.sys: PECompact2
C:\WINDOWS\IFinst25.exe: UPX!
C:\WINDOWS\IFinst27.exe: UPX!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\amp3dj.ocx: UPX!
C:\WINDOWS\SYSTEM32\ca4rlo.sys: PEC2
C:\WINDOWS\SYSTEM32\ca4rlo.sys: PECompact2
C:\WINDOWS\SYSTEM32\x99a5c.exe: PEC2
C:\WINDOWS\SYSTEM32\x99a5c.exe: PECompact2


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder

C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: =FSG!u$h
C:\WINDOWS\SYSTEM32\Drivers\avg7core.sys: UPX!


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\Administrator\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Fri May 13 2005 4:11:28p A.S.. 2,048 2.00 K
ca4rlo.sys Thu Mar 31 2005 2:13:38a ..SHR 333,216 325.41 K
window~1.man Fri Mar 25 2005 9:52:08p A..HR 749 0.73 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Fri Mar 25 2005 9:52:14p ...H. 65 0.06 K

C:\WINDOWS\FONTS\
desktop.ini Fri Mar 25 2005 9:52:52p A.SH. 67 0.06 K

C:\WINDOWS\INF\
oem24.inf Sat Apr 2 2005 1:03:44a ...H. 0 0.00 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Fri Mar 25 2005 9:52:14p ...H. 65 0.06 K

C:\WINDOWS\REPAIR\
ntuser.dat Fri Mar 25 2005 9:53:22p A..H. 233,472 228.00 K

C:\WINDOWS\SYSTEM32\
800x5.exe Thu Mar 31 2005 2:20:02a ..SHR 205,464 200.65 K
ca4rlo.sys Thu Mar 31 2005 2:13:38a ..SHR 198,778 194.12 K
cdplay~1.man Fri Mar 25 2005 9:52:08p A..HR 749 0.73 K
logonu~1.man Fri Mar 25 2005 9:52:14p A..HR 488 0.48 K
ncpacp~1.man Fri Mar 25 2005 9:52:08p A..HR 749 0.73 K
nwccpl~1.man Fri Mar 25 2005 9:52:08p A..HR 749 0.73 K
sapicp~1.man Fri Mar 25 2005 9:52:08p A..HR 749 0.73 K
undb3.dll Wed Apr 13 2005 8:50:20p ..SHR 445,964 435.51 K
vsconfig.xml Fri May 13 2005 3:54:48p A..H. 890 0.87 K
window~1.man Fri Mar 25 2005 9:52:14p A..HR 488 0.48 K
wuaucp~1.man Fri Mar 25 2005 9:52:08p A..HR 749 0.73 K
x99a5c.exe Thu Mar 31 2005 2:13:38a ..SHR 196,760 192.15 K
zllictbl.dat Fri Mar 25 2005 11:04:32p ...H. 4,212 4.11 K

C:\WINDOWS\TASKS\
sa.dat Fri May 13 2005 4:10:10p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Fri May 13 2005 4:11:22p A..H. 8,192 8.00 K
sam.log Fri May 13 2005 4:11:38p A..H. 1,024 1.00 K
security.log Fri May 13 2005 4:11:30p A..H. 12,288 12.00 K
software.log Fri May 13 2005 4:15:52p A..H. 229,376 224.00 K
system.log Fri May 13 2005 4:11:32p A..H. 778,240 760.00 K
tempkey.log Fri Mar 25 2005 1:38:22p A..H. 1,024 1.00 K
userdiff.log Fri Mar 25 2005 1:38:22p A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\RESTORE\
filelist.xml Sat Apr 2 2005 1:03:50a ..SHR 13,698 13.38 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
pab9c9~1.cab Fri Mar 25 2005 10:44:14p ..SHR 70,111 68.46 K
pabdc9~1.cab Fri Mar 25 2005 10:44:16p ..SHR 27,774 27.12 K
packag~1.cab Fri Mar 25 2005 9:52:32p ..SHR 242,478 236.79 K
packag~2.cab Fri Mar 25 2005 9:52:32p ..SHR 19,959 19.49 K
packag~3.cab Fri Mar 25 2005 9:52:32p ..SHR 727 0.71 K

C:\WINDOWS\SYSTEM32\CATROOT\{F750E~1\
845g.cat Fri Mar 25 2005 9:59:48p ..S.. 6,810 6.65 K
ich4core.cat Fri Mar 25 2005 9:59:50p ..S.. 7,657 7.48 K
ich4ide.cat Fri Mar 25 2005 9:59:50p ..S.. 7,655 7.47 K
ich4usb.cat Fri Mar 25 2005 9:59:50p ..S.. 7,655 7.47 K
oem0.cat Fri Mar 25 2005 9:59:40p ..S.. 38,525 37.62 K
oem1.cat Fri Mar 25 2005 9:59:46p ..S.. 8,512 8.31 K
oem10.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem11.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem12.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem13.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem14.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem15.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem16.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem17.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem18.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem19.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K
oem2.cat Fri Mar 25 2005 9:59:46p ..S.. 8,512 8.31 K
oem20.cat Fri Mar 25 2005 9:59:48p ..S.. 9,202 8.98 K
oem21.cat Fri Mar 25 2005 9:59:40p ..S.. 12,258 11.97 K
oem3.cat Fri Mar 25 2005 9:59:34p ..S.. 49,825 48.66 K
oem4.cat Fri Mar 25 2005 9:59:38p ..S.. 9,177 8.96 K
oem5.cat Fri Mar 25 2005 9:59:38p ..S.. 9,181 8.96 K
oem6.cat Fri Mar 25 2005 9:59:38p ..S.. 9,163 8.95 K
oem7.cat Fri Mar 25 2005 9:59:38p ..S.. 9,175 8.96 K
oem8.cat Fri Mar 25 2005 9:59:38p ..S.. 9,175 8.96 K
oem9.cat Fri Mar 25 2005 9:59:34p ..S.. 9,167 8.95 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\
desktop.ini Fri Mar 25 2005 1:39:40p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\
desktop.ini Fri Mar 25 2005 1:39:40p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\
desktop.ini Fri Mar 25 2005 9:52:16p A.SH. 181 0.18 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\
desktop.ini Fri Mar 25 2005 1:39:40p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\REINST~1\0007\DRIVER~1\
i830mnt5.cat Fri Mar 25 2005 9:59:34p A.S.. 49,825 48.66 K

C:\WINDOWS\SYSTEM32\REINST~1\0008\DRIVER~1\
isb8xx.cat Fri Mar 25 2005 9:59:38p A.S.. 9,177 8.96 K

C:\WINDOWS\SYSTEM32\REINST~1\0009\DRIVER~1\
ikch8xx.cat Fri Mar 25 2005 9:59:38p A.S.. 9,181 8.96 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\
desktop.ini Fri Mar 25 2005 9:53:20p A.SH. 206 0.20 K

C:\WINDOWS\SYSTEM32\MICROS~1\PROTECT\S-1-5-18\USER\
d88cac~1 Fri Mar 25 2005 11:04:52p A.SH. 388 0.38 K
prefer~1 Fri Mar 25 2005 11:04:52p A.SH. 24 0.02 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\HISTORY.IE5\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\
desktop.ini Fri Mar 25 2005 9:53:20p A.SH. 482 0.47 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\STARTUP\
desktop.ini Fri Mar 25 2005 9:53:20p A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\0SZ45QKQ\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\HOWH0TXT\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\HZDZEDM2\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\QKE3VKTR\
desktop.ini Fri Mar 25 2005 9:52:34p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ACCESS~1\
desktop.ini Fri Mar 25 2005 9:53:20p A.SH. 348 0.34 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ENTERT~1\
desktop.ini Fri Mar 25 2005 9:53:20p A.SH. 84 0.08 K

83 items found: 83 files, 0 directories.
Total of file sizes: 3,406,505 bytes 3.25 M

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:50 PM

Posted 14 May 2005 - 10:20 AM

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\ml00!.exe
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\SYSTEM32\amp3dj.ocx
C:\WINDOWS\SYSTEM32\ca4rlo.sys
C:\WINDOWS\SYSTEM32\x99a5c.exe
c:\windows\system32\800x5.exe

To copy the files simply navigate to the directory they are in and right click on the file name, and then click on copy option. Now go back to the c:\submit folder and right click in the folder and select the paste option.

Once the files are all copied zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a Compressed folder. You will now see a file called yourmembername.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that.

When the files are zipped, go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browsing to the file you are submitting Finally click on the Send File button.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users