Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My HJT log file plz help


  • Please log in to reply
18 replies to this topic

#1 mrf11486

mrf11486

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 02 June 2005 - 11:24 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:23:31 AM, on 6/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\rznruv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Registry Cleaner Trial\RegClean.exe
C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\1115435730\EE\AOLServiceHost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Matthew\Local Settings\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Matthew\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Matthew\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {27CE2CCE-08F4-4BDA-BF7A-5C86558E1379} - C:\WINDOWS\System32\pgbi.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rznruv.exe reg_run
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Matthew\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [sndesh] C:\WINDOWS\System32\sndesh.exe
O4 - HKCU\..\Run: [YBrsRSe2O] ctfbkup.exe
O4 - HKCU\..\Run: [wiashext] C:\WINDOWS\System32\wiashext.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol toolbar 2.0\aoltbres.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DCAA3D35-F7B7-49B1-8BED-438DCE437CE9}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: text/html - {CFAC2207-C24B-4FC1-AB27-97F8AFCF126D} - C:\WINDOWS\System32\pgbi.dll
O18 - Filter: text/plain - {CFAC2207-C24B-4FC1-AB27-97F8AFCF126D} - C:\WINDOWS\System32\pgbi.dll
O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,724 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:01 AM

Posted 03 June 2005 - 12:29 AM

Hello mrf11486 and welcome to BleepingComputer.

Your log shows that you are seriously behind on windows updates. It is essential that you update your operating system as otherwise any infections we remove could reoccur. After we get you all cleaned up, be sure to go to Windows Update and if it asks to install software, allow it to do so. Install the offered Critical and Security updates, reboot as requested and return until you have installed all available Critical and Security updates.


You have HijackThis running from a temporary or zip folder. Any backup files HJT creates during the repair process will not be secure if left in this folder.

Create a folder on the C: drive called "C:\HJT". You can do this by opening My Computer then double click on Local Disk (C:). In a clear area right click and select New then Folder and name it "HJT". Unzip HijackThis into this folder. Please delete any other copies of HijackThis and run HJT only from this new folder.


Configure Windows to enable viewing of Hidden and System files.

Please download CWShredder.exe to your desktop from: http://cwshredder.net/bin/CWSInstall.exe
- Run CWShedder.exe.
- Click on Check for Update to be sure you have the most current version.
- Close CWShredder, we will use it later.

Download SpSeHjfix112.zip and unzip it to it's own folder.
- We will use it later.

Download CleanUp! and install it.
- Start CleanUp! and click on the CleanUp! button.
- Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
- Exit Cleanup


Reboot into Safe Mode.


Run CWShredder and click on the Fix button.

Run SpSeHjfix and click on Start Disinfection.
- As part of the cleaning process, it will reboot your machine.
- The tool will create a log of the fix which will appear in the folder that SpSeHjfix is located in.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Matthew\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Matthew\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {27CE2CCE-08F4-4BDA-BF7A-5C86558E1379} - C:\WINDOWS\System32\pgbi.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rznruv.exe reg_run
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Matthew\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [sndesh] C:\WINDOWS\System32\sndesh.exe
O4 - HKCU\..\Run: [YBrsRSe2O] ctfbkup.exe
O4 - HKCU\..\Run: [wiashext] C:\WINDOWS\System32\wiashext.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{DCAA3D35-F7B7-49B1-8BED-438DCE437CE9}: NameServer = 69.50.176.156,195.225.176.31

O18 - Filter: text/html - {CFAC2207-C24B-4FC1-AB27-97F8AFCF126D} - C:\WINDOWS\System32\pgbi.dll
O18 - Filter: text/plain - {CFAC2207-C24B-4FC1-AB27-97F8AFCF126D} - C:\WINDOWS\System32\pgbi.dll

O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\WINDOWS\ctfbkup.exe <--Files
C:\WINDOWS\System32\rznruv.exe
C:\WINDOWS\System32\sndesh.exe
C:\WINDOWS\System32\wiashext.exe
C:\WINDOWS\SYSTEM32\ntfs32.dll
C:\WINDOWS\SYSTEM32\ctfbkup.exe

If any of these resist being deleted, boot back into Safe Mode and try from there.


Reboot normally.


Please download FindQoologic from here:
http://forums.net-integration.net/index.ph...=post&id=134981
Unzip it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

In addition, post a fresh HijackThis log and the log that was created by SpSeHjfix.
Derfram
~~~~~~

#3 mrf11486

mrf11486
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 03 June 2005 - 03:35 PM

Hey man thanks for the help it seems like its all cleared up but i cant really tell yet but as far as deletling those files in the system32 folder (C:\WINDOWS\System32\rznruv.exe) and (C:\WINDOWS\SYSTEM32\ntfs32.dll) which are the only 2 i could find it would let me cause they are write protected or sumthin like that but ya i couldnt delete them even in safe mode and here is the log u told me to get at the end here ya go...


-------------------------------------------------------------------------------------------------


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f7ecc3

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
datd.exe
desktop.ini
WinZip Quick Pick.lnk

User Startup:
C:\Documents and Settings\Matthew\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gyqgmfxn
<NO NAME> REG_SZ {b0b5d713-b50f-4867-900e-319e31fb8811}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79304-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 16:27
Operating System: Windows XP


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = ""
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,724 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:01 AM

Posted 03 June 2005 - 03:48 PM

Need a fresh HJT log also please.
Derfram
~~~~~~

#5 mrf11486

mrf11486
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 03 June 2005 - 04:02 PM

ok here it is... oh and by the way right now im using moazilla firefox which seems to work fine but for some odd reason everytime i try to use internet explorer which is the browser i need to use to get those windwos update wont come up at all, like i open IE and nothing even happens but here is the HJT log file

--------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 5:00:59 PM, on 6/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\WINDOWS\System32\rznruv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\1115435730\EE\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rznruv.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol toolbar 2.0\aoltbres.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,724 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:01 AM

Posted 03 June 2005 - 04:45 PM

Download the Killbox. Unzip it to the desktop.

Run Killbox.

- Select "Delete on Reboot".
- Copy the file names below highlighting them and pressing Control-C:

C:\WINDOWS\System32\rznruv.exe
C:\WINDOWS\System32\ntfs32.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\datd.exe


- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.



Open Notepad, (Start button, click on Run, type in Notepad, and click OK) copy & pastes the following block of text into Notepad.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\gyqgmfxn]

[-HKEY_CLASSES_ROOT\CLSID\{b0b5d713-b50f-4867-900e-319e31fb8811}]

Click on 'File', then 'Save as'
Select 'Save as type:' as All Files,
Save the file to the desktop as fix.reg. Close Notepad.

Then double-click on the fix.reg file, and when it prompts to merge say yes.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rznruv.exe reg_run

O20 - Winlogon Notify: ntfs32 - C:\WINDOWS\SYSTEM32\ntfs32.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


I have a feeling there are things hiding that we are not yet seeing. Let's dig deeper:

Download http://www.bleepingcomputer.com/files/pfind.php
- Create a folder C:\pfind and extract pfind-new.zip into it.

Reboot your computer into Safe Mode

Then open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.

Also a fresh HJT log once more.
Derfram
~~~~~~

#7 mrf11486

mrf11486
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 03 June 2005 - 06:29 PM

ok here is the pfind log

Files found with this application may be legitimate.
Only remove files that you know are malware related.


Checking the C: folder



Checking the C:\Program Files folder



Checking the C:\WINDOWS folder

C:\WINDOWS\protector.exe: FSG!


Checking the C:\WINDOWS\SYSTEM32 folder

C:\WINDOWS\SYSTEM32\caocdbm.exe: .aspack
C:\WINDOWS\SYSTEM32\dumpsprep.exe: UPX!
C:\WINDOWS\SYSTEM32\elitebht32.exe: FSG!
C:\WINDOWS\SYSTEM32\elitezyv32.exe: FSG!
C:\WINDOWS\SYSTEM32\ipdnssec6.exe: UPX!
C:\WINDOWS\SYSTEM32\mqspbkup.exe: UPX!
C:\WINDOWS\SYSTEM32\pxgpozr.dll: UPX!
C:\WINDOWS\SYSTEM32\quvqw.dat: UPX!
C:\WINDOWS\SYSTEM32\redit.cpl: .aspack
C:\WINDOWS\SYSTEM32\supdate.dll: UPX!


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder



Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\All Users\Application Data folder




Checking the C:\Documents and Settings\Matthew\Start Menu\programs\Startup\ folder




Checking the C:\Documents and Settings\Matthew\Application Data folder




Checking the Windows folder for system and hidden files within the last 60 days


C:\WINDOWS\
bootstat.dat Fri Jun 3 2005 7:18:58p A.S.. 2,048 2.00 K
window~1.man Fri May 6 2005 10:33:52p A..HR 749 0.73 K

C:\WINDOWS\ASSEMBLY\
desktop.ini Sat May 7 2005 12:07:36a ..SHR 227 0.22 K

C:\WINDOWS\DOWNLO~1\
desktop.ini Fri May 6 2005 10:34:22p ...H. 65 0.06 K

C:\WINDOWS\FONTS\
desktop.ini Fri May 6 2005 10:37:10p A.SH. 67 0.06 K

C:\WINDOWS\INF\
oem0.inf Sat May 14 2005 6:42:16p ...H. 0 0.00 K
oem1.inf Sat May 14 2005 6:49:08p ...H. 0 0.00 K

C:\WINDOWS\OFFLIN~1\
desktop.ini Fri May 6 2005 10:34:22p ...H. 65 0.06 K

C:\WINDOWS\REPAIR\
ntuser.dat Fri May 6 2005 10:39:16p A..H. 241,664 236.00 K

C:\WINDOWS\SYSTEM32\
cdplay~1.man Fri May 6 2005 10:33:52p A..HR 749 0.73 K
logonu~1.man Fri May 6 2005 10:34:22p A..HR 488 0.48 K
ncpacp~1.man Fri May 6 2005 10:33:52p A..HR 749 0.73 K
nwccpl~1.man Fri May 6 2005 10:33:52p A..HR 749 0.73 K
sapicp~1.man Fri May 6 2005 10:33:52p A..HR 749 0.73 K
window~1.man Fri May 6 2005 10:34:22p A..HR 488 0.48 K
wuaucp~1.man Fri May 6 2005 10:33:52p A..HR 749 0.73 K

C:\WINDOWS\TASKS\
sa.dat Fri Jun 3 2005 7:17:42p A..H. 6 0.00 K

C:\WINDOWS\SYSTEM32\CONFIG\
default.log Fri Jun 3 2005 7:18:50p A..H. 8,192 8.00 K
sam.log Fri Jun 3 2005 7:19:12p A..H. 1,024 1.00 K
security.log Fri Jun 3 2005 7:19:02p A..H. 12,288 12.00 K
software.log Fri Jun 3 2005 7:20:10p A..H. 73,728 72.00 K
system.log Fri Jun 3 2005 7:19:04p A..H. 663,552 648.00 K
tempkey.log Fri May 6 2005 2:58:32p A..H. 1,024 1.00 K
userdiff.log Fri May 6 2005 2:58:34p A..H. 1,024 1.00 K

C:\WINDOWS\SYSTEM32\RESTORE\
filelist.xml Sat May 14 2005 6:49:12p ..SHR 13,695 13.37 K

C:\WINDOWS\PCHEALTH\HELPCTR\PACKAG~1\
packag~1.cab Fri May 6 2005 10:35:44p ..SHR 242,478 236.79 K
packag~2.cab Fri May 6 2005 10:35:44p ..SHR 19,959 19.49 K
packag~3.cab Fri May 6 2005 10:35:44p ..SHR 727 0.71 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\APPLIC~1\
desktop.ini Fri May 6 2005 3:04:34p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\
desktop.ini Fri May 6 2005 3:04:34p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\SENDTO\
desktop.ini Fri May 6 2005 10:34:30p A.SH. 181 0.18 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\
desktop.ini Fri May 6 2005 3:04:34p A.SH. 62 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\
desktop.ini Fri May 6 2005 10:39:12p A.SH. 206 0.20 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\HISTORY\HISTORY.IE5\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 113 0.11 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\
desktop.ini Fri May 6 2005 10:39:10p A.SH. 482 0.47 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\STARTUP\
desktop.ini Fri May 6 2005 10:39:10p A.SH. 84 0.08 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\IS8IMKPN\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\MHAA0CCS\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\VD9BVVZR\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\YBQRIDF1\
desktop.ini Fri May 6 2005 10:35:50p A.SH. 67 0.06 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ACCESS~1\
desktop.ini Fri May 6 2005 10:39:10p A.SH. 348 0.34 K

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\STARTM~1\PROGRAMS\ACCESS~1\ENTERT~1\
desktop.ini Fri May 6 2005 10:39:10p A.SH. 84 0.08 K

45 items found: 45 files, 0 directories.
Total of file sizes: 1,289,502 bytes 1.23 M



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tgcmd REG_SZ "C:\Program Files\support.com\bin\tgcmd.exe" /server
HostManager REG_SZ C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe
WinampAgent REG_SZ C:\Program Files\Winamp\winampa.exe
STOPzilla REG_SZ C:\Program Files\STOPzilla!\STOPzilla.exe /autostart


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
AIM REG_SZ C:\Program Files\AIM\aim.exe -cnetwait.odl
Registry Cleaner REG_SZ "C:\Program Files\Registry Cleaner Trial\regclean.exe"


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
PostBootReminder REG_SZ {7849596a-48ea-486e-8937-a2a3009f31a9}
CDBurn REG_SZ {fbeb8a05-beee-4442-804e-409d6c4515e9}
WebCheck REG_SZ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
SysTray REG_SZ {35CEC8A3-2BE6-11D2-8773-92E220524153}


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell REG_SZ Explorer.exe



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs REG_SZ

--------------------------------
HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:29:16 PM, on 6/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1115435730\EE\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol toolbar 2.0\aoltbres.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,724 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:01 AM

Posted 04 June 2005 - 11:32 AM

Please first save these directions to the desktop as a text file, because you will need to copy and paste part of them later, once we are in Safe Mode.

If you stil have Killbox, skip this download. Otherwise:
Please download the Killbox.
- Unzip it to the desktop but do NOT run it yet.

Download LQfix.zip.
- Unzip it to your desktop.
- Don't use it yet.


Reboot into Safe Mode.


Locate LQFix.bat on your desktop.
- Doubleclick on LQFix.bat. A command window will open and close again, that is normal.


Please run Killbox.

- Select "Delete on Reboot".
- Copy the file names below by highlighting them and pressing Control-C:

C:\WINDOWS\protector.exe
C:\WINDOWS\SYSTEM32\caocdbm.exe
C:\WINDOWS\SYSTEM32\dumpsprep.exe
C:\WINDOWS\SYSTEM32\elitebht32.exe
C:\WINDOWS\SYSTEM32\elitezyv32.exe
C:\WINDOWS\SYSTEM32\ipdnssec6.exe
C:\WINDOWS\SYSTEM32\mqspbkup.exe
C:\WINDOWS\SYSTEM32\pxgpozr.dll
C:\WINDOWS\SYSTEM32\quvqw.dat
C:\WINDOWS\SYSTEM32\redit.cpl
C:\WINDOWS\SYSTEM32\supdate.dll


- Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

- Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.


I need to more closely examine a registry key exposed by pFind.

- Please open your registry editor by clicking on Start, then Run, type in regedit, and click OK.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies and 'expand' Policies.
- Right click on Explorer, select Export and save it to your desktop as Explorer.reg.
- Close regedit.

Find Explorer.reg on you desktop.
- Right click on it and select Edit.
- Copy/Paste the contents of the file to your next post.


Any luck getting Internet Explorer to open yet? Can you be more specific as to what happens when you try?

Edited by ddeerrff, 04 June 2005 - 11:33 AM.

Derfram
~~~~~~

#9 mrf11486

mrf11486
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 04 June 2005 - 10:44 PM

here ya go... sry it took me so long to reply but here is the explorer.reg file thing and about IE it opens sometimes but nothing ever comes up in the window it says done in the corner but nothin on screen


------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoActiveDesktopChanges"=dword:00000000
"DisableLocalMachineRun"=dword:00000000

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,724 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:01 AM

Posted 04 June 2005 - 11:58 PM

That last .reg key look OK.

We seem to be finding malware or malware remnants just about everywhere we look. We may end up having to try a reinstallation of IE, but there are a few more tools we can run to see if there may still might be some baddies that are causing the problem.

Download Silent Runners and unzip it into it's own folder.
- Run SilentRunners.vbs.
- If your antivirus complains, tell it to allow this script.

Copy and paste the content of the Silent Runners textfile you get afterwards in your next reply.
Derfram
~~~~~~

#11 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,724 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:01 AM

Posted 06 June 2005 - 01:51 PM

Has this problem with IE occured as a result of the malware removal, or was it a prior problem? My assumption has been it was a prior problem.
Derfram
~~~~~~

#12 mrf11486

mrf11486
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 06 June 2005 - 02:52 PM

ok the problem with IE was prior to removal of the malware it didnt work every since i got all this bleep on here but here is the log file from the silentrunners prog



---
"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"sndesh" = "C:\WINDOWS\System32\sndesh.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

#13 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,724 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:01:01 AM

Posted 06 June 2005 - 03:56 PM

SilentRunners should produce a much longer log than that. Is it giving you any errors?

If you get an error similar to: autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application...etc etc' or a 16 bit application error.
Go here and use the approprient fix for your system
http://www.tech-forums.net/computer/topic/29806.html
Derfram
~~~~~~

#14 mrf11486

mrf11486
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 07 June 2005 - 11:31 PM

ok when it makes the log from the silent prog thats all it does is make that small log... no errors or anything come up..? and could u tell me a place to get some antivirus programs for free cause thats y i was so infected... i dont have any antivirus progs thanks alot

#15 mrf11486

mrf11486
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:01 AM

Posted 07 June 2005 - 11:34 PM

ohhh ok i see now... gotta give it time to make log lol sry bout that well here ya go


-------------------------------

"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"sndesh" = "C:\WINDOWS\System32\sndesh.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"Registry Cleaner" = ""C:\Program Files\Registry Cleaner Trial\regclean.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"tgcmd" = ""C:\Program Files\support.com\bin\tgcmd.exe" /server" ["Support.com, Inc."]
"HostManager" = "C:\Program Files\Common Files\AOL\1115435730\EE\AOLHostManager.exe" ["America Online, Inc."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"STOPzilla" = "C:\Program Files\STOPzilla!\STOPzilla.exe /autostart" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Matthew" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]

{669B269B-0D4E-41FB-A3D8-FD67CA94F646}\
"ButtonText" = "ComcastHSI"
"Exec" = "http://www.comcast.net/" [file not found]

{8828075D-D097-4055-AA02-2DBFA9D85E8A}\
"ButtonText" = "Support"
"Exec" = "http://www.comcastsupport.com/" [file not found]

{97809617-3937-4F84-B335-9BB05EF1A8D4}\
"ButtonText" = "Help"
"Exec" = "http://online.comcast.net/help/" [file not found]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users