Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viscious Malware


  • Please log in to reply
12 replies to this topic

#1 Alane

Alane

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 04 July 2005 - 05:34 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:27:45 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Desktop\hijack\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlmmul.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: dupp.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\jnsd400.dllLogfile of HijackThis v1.99.1
Scan saved at 9:27:45 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Desktop\hijack\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlmmul.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: dupp.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\jnsd400.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

And after a little clean-up (like always). After reboot, it will be back as above:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:39 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Desktop\hijack\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\jnsd400.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

A few of these services can't be removed, so I just renamed the files they linked to.. however somewhat recently, the last one (wanmpsvc.exe) has somehow revived. I have no idea what SmartLink Service is.. but I don't want to
do anything that might mess with my DSL connection.

As for dupp.exe- I can't tell what it's doing. it just shows up every once in a while. it IS related to this problem though.



O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

And after a little clean-up (like always). After reboot, it will be back as above:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:39 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\User\Desktop\hijack\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\jnsd400.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe (file missing)



The main problem:

O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\system32\jnsd400.dll

Winlogon Notifies cannot be removed by a standard HJT scan. According to HJT, you should use the delete on reboot feature of either HJT or Killbox.
The reason for this is that since it is loaded at startup by a winlogon.exe, this .dll is in active memory at all times whether you are in safe mode, normal mode, or even safe mode with command prompt only.
The solution would normally be simple.. use HJT or Killbox to add a registry entry to delete the file or registry entry BEFORE winlogon.exe executes.
Here's where it gets tricky. This malware by virtue of winlogon (and not another process) manages to keep any RenameFileOperation registry values =jnsd400.dll out of the registry. In other words, after HJT, Killbox (another one is also CopyLog), etc make the command to delete the file, the virus(I think I'm safe in calling it that) deletes the command in order to protect itself.

Ok, the file can't be deleted, the registry can't be changed, and the registry can't be used to delete the file, what next?
System restore is what I was thinking.. however for some reason that I don't find coincidental, System restore will no longer work. After I run it in safe mode, it reboots, and it ends up doing nothing at all, it does not restore anything, it does not confirm whether or not it is completed either.
One other side effect seems to be that I can't access windows update.

So what's next? I am down two theories I cannot test, and I am looking for any help that can be offered by the administrators of this board.

A) Write a program, either a batch file or use an upper level programming language, to continually add the command to delete the file in an infinite loop, and while it is running, cut the power to the PC. This hypothetically would give a 50/50 chance of adding the entry to delete the file once the computer starts back up.
I do have experience programming, although I'm not sure how to add to the registry in any of the languages I have experience in, nor do I know the exact registry entry that needs to be made.

B) Slave the hard drive to another computer, and delete the file that way.
My only other computer is a notebook, so that one will be difficult for me.


I just now realized I haven't explained what this virus/malware does. When the computer is idle, it downloads Virtual Bouncer, Ad-Destroyer, VX2, and other adware/malware. I have the software to remove these adequately, so I'm not worried about them. When the computer is not idle, it monitors the websites and websearch strings entered into IE and displays popups based on the content it detects.

I emplore anyone who's reading this and has any suggestion whatsoever on how to get rid of this problem to help me.

Oh yes, I already use the likes of Ad-aware and spybot, as well as trend micro's housecall, and norton antivirus. For firewalls, I have windows XP and a built-in firewall on my DSL.

As for dupp.exe- I can't tell what it's doing. it just shows up every once in a while. it IS related to this problem though. It is apparently created in the windows startup folder, executed, and then automatically deleted (it's not hidden, but it's not there, although hijack picks it up from time to time)

Edited by Platypus, 31 October 2011 - 12:33 AM.
email contact removed at request of OP


BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:36 PM

Posted 05 July 2005 - 07:32 PM

Hello Alane and welcome to the BC malware forums. Yeah, the infections that attach themselves to the minlogon can be tricky. It appears that this log was made while in Safe Mode. Since this can hide many of the running processes that might be causing problems I need you to do the following.

Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Alane

Alane
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 05 July 2005 - 09:27 PM

I've been using HJT for probably close to a year now to solve most of my routine problems, so I do understand some processes/entries that are harmful, unneccessary, necessary etc.

+indicates something I believe to be related to this virus I'm going through
-indicates something I'm afraid to change
*indicates a problem I'll explain below

Logfile of HijackThis v1.99.1
Scan saved at 9:50:52 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
*C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
*C:\WINDOWS\system32\ctfmon.exe
+C:\WINDOWS\system32\DllHost.exe
+C:\WINDOWS\system32\klnnhl.exe
C:\Documents and Settings\User\Desktop\hijack\HijackThis.exe

+R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
+R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
+O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\klnnhl.exe reg_run
*O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
+O17 - HKLM\System\CCS\Services\Tcpip\..\{46356BC1-82EB-4B1F-B9BD-19BA720D61E0}: NameServer = 205.188.146.145
*O17 - HKLM\System\CCS\Services\Tcpip\..\{BEA4B3CA-098A-48CD-A792-CEC61012639D}: NameServer = 151.199.0.39 207.68.32.39
+O17 - HKLM\System\CS1\Services\Tcpip\..\{46356BC1-82EB-4B1F-B9BD-19BA720D61E0}: NameServer = 205.188.146.145
+O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\jnsd400.dll
*O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
-O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
-O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
-O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
*O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ctfmon.exe is supposed to be part of Microsoft Office, however it has been acting somewhat malignant for years, it does not stay terminated from memory, and the registry entry is reinserted often. It is also supposed to be the Microsoft Office Tool menu.. which I have never had. Regardless of whether or not it's a problem, I don't really care about it.

wanmpvc.exe and AOLASCD.exe are parts of America Online. I do not use AOL often as I have a DSL connection. Attempts to remove these registry entries fail, however I can delete the respective files. Wanmpsvc.exe will be recreated upon attempt to connect to AOL- so I'm sure it's not a danger.

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEA4B3CA-098A-48CD-A792-CEC61012639D}: NameServer = 151.199.0.39 207.68.32.39

I believe this is related to my DSL connection, I can remove it, but it seems to hamper connectivity. The two entries two IP numbers starting with 205 however are definately virus/malware related.


+R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
+R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
These showed up just the other day, I suspect they're from some software that was downloaded by the virus, nonetheless they are having little to no apparent effect yet. These showed up about the same time as the dllhost.exe started residing in memory, killing that process does not enable me to remove the registries however.


C:\WINDOWS\system32\klnnhl.exe

This file is found under processes from time to time, however, even when it's running, it cannot be found at that location, even as a hidden file.. I suspect that this process may be somehow hiding files such as itself and dupp.exe. When I use HJT to remove this line, it is replaced by a Global startup of dupp.exe in the system's startup folder.. like klnnhl.exe, dupp.exe cannot be detected by normal means.

One last note about klnnhl.exe is that sometimes I can detect it with window's task manager, however sometimes it can be detected through similar programs such as
Itty Bitty Process Manager(IBProcMan) while it is apparently hidden from window's task manager. Other times it is not operating and/or is completely undetectable.

However I have to reiterate that I believe that all the functions of this virus are linked back to jnsd400.dll. I am fairly certain that it is protecting itself (and not being protected by another process) from system restore and registry rename operations through the winlogon process. I'm under the impression that klnnhl.exe is run by jnsd400.dll/winlogon to produce the spam and popups etc. Jnsd400.dll is about 400kb. I cannot get a fix on klnnlh.exe (It is not what windows explorer recognizes as a hidden file, and other programs cannot detect it's presence)
Strangely enough, when it is running as a process, IBProcMan will show it as running from c:\windows\system32\klnnhl.exe, even though applications cannot find the actual file. (Explorer/Killbox)


Also to note, sometimes there are as many as 6 copies of c:\windows\system32\svchost.exe running. I remember when there used to be only 4, however that may have changed with SP2, I'm not sure.

Another thing I practice is regularly deleting the contents of Documents and Settings\User\Local Settings\Temp, as I've found in the past that it is the typical location where programs are stored to hide processes.

Thank you for responding.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:36 PM

Posted 06 July 2005 - 10:39 AM

Hi Alane. It appears that you have a Qoologic infection here. It can be accompanied by an L2M infection which must be removed first so to begin with we will check for that.
  • Download l2mfix.exe and save it to your desktop.
  • Double click l2mfix.exe to start the installation.
  • Click the Install button to extract the files and follow the prompts.
  • Open the newly added l2mfix folder on your desktop.
  • Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing the Enter key.
This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy/paste the entire content of that log into this thread and I will review the information when it comes in. Do not run any other options from the l2mfix.bat until I have had a chance to review the log and respond back.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Alane

Alane
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 06 July 2005 - 09:06 PM

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jnsd400.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A1F72706-EED3-836D-FE52-4F71CA66647F}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}"="Sony Digital Voice File Shell Extention Module"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{59403EC0-EA55-11d5-954A-9A53884D6E09}"="SecureDoc"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{F7F7F293-5F1A-4EE6-9762-96455BC8F3FE}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{F7F7F293-5F1A-4EE6-9762-96455BC8F3FE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7F7F293-5F1A-4EE6-9762-96455BC8F3FE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7F7F293-5F1A-4EE6-9762-96455BC8F3FE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F7F7F293-5F1A-4EE6-9762-96455BC8F3FE}\InprocServer32]
@="C:\\WINDOWS\\system32\\dunet.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is B027-C056

Directory of C:\WINDOWS\System32

07/06/2005 09:45 AM 417,792 dunet.dll
07/04/2005 12:39 PM 417,792 rzutils.dll
07/04/2005 12:04 PM 417,792 acmparse.dll
07/04/2005 11:47 AM 417,792 oebcint.dll
07/04/2005 10:07 AM 417,792 smprv.dll
07/03/2005 09:40 PM 417,792 hbui.dll
07/03/2005 08:07 PM 417,792 jsbexec.dll
07/03/2005 07:51 PM 417,792 iUsacct.dll
07/03/2005 07:06 PM 417,792 dnskperf.dll
07/03/2005 06:57 PM 417,792 usandlg.dll
06/30/2005 03:41 PM 417,792 swndmail.dll
06/30/2005 10:10 AM 417,792 jnsd400.dll
06/29/2005 10:57 AM 417,792 ripsnd.dll
06/29/2005 10:53 AM 417,792 gliplus.dll
06/29/2005 10:21 AM 417,792 oeeprn.dll
06/28/2005 11:38 PM 417,792 kddgkl.dll
06/28/2005 06:08 PM <DIR> dllcache
06/28/2005 06:02 PM 417,792 dalay.dll
06/28/2005 05:44 PM 417,792 nbtlogon.dll
06/28/2005 09:56 AM 417,792 iefosoft.dll
06/26/2005 11:10 AM 417,792 kfdgr.dll
06/24/2005 12:31 AM 417,792 mpxbse35.dl_
06/22/2005 10:57 AM 417,792 mdxbse35.dll
06/19/2005 01:03 PM 417,792 SZRT01.dll
06/18/2005 11:32 AM 417,792 guard.tmp
06/18/2005 12:18 AM 417,792 maltus35.dll
01/19/2005 01:07 AM 846 Zgl8.du7
01/13/2005 02:56 PM 4,402 nfgjx.txt
01/13/2005 12:38 PM 3,567 sofnm.log
01/12/2005 08:54 PM 4,402 mzrxh.dat
12/15/2004 10:48 PM 4,402 xyjem.txt
02/24/2004 01:51 AM <DIR> Microsoft
04/05/2001 01:43 PM 94,208 msstkprp.dll
31 File(s) 10,556,627 bytes
2 Dir(s) 40,782,468,096 bytes free


Interesting, I eagerly await your reply.

When running the option, windows did show an error. After ignoring it, this log showed up.

The error was:
Title: 16 bit MS-DOS Subsystem
Message: C:\Windows\system32\cmd.exe
C:\Windows\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.
Don't know if this is relevant, but I included it anyway.

Edited by Alane, 06 July 2005 - 09:10 PM.


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:36 PM

Posted 07 July 2005 - 12:00 AM

Hi Alane. Ah yes. There is definitely an L2M infection here. Let's fix that up first.

Print these directions or copy/paste them into a Notepad document and save it to your desktop. Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop:
  • Double click l2mfix.bat and select option #5 for Fix Autoexec.nt/cmd.exe error by typing 5 and then pressing the Enter key.
  • Now select option #4 for merge Winlogon Notify Defaults by typing 4 and then pressing the Enter key.
  • Now select option #2 for Run Fix by typing 2 and then pressing the Enter key.
  • Press any key to reboot your computer.
After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, Notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with the log from the scan below.
  • Download FindQoologic2.zip save it to your Desktop.
  • Unzip Find-Qoologic2.zip to its own folder and then use Windows Explorer to navigate to that folder.
  • Double-click the Find-Qoologic2.bat file to run it. It will take some time so be patient.
  • When Notepad opens with the results in it copy/paste the entire contents of the document back here.
Post the 2 log files back here (from the l2m fix and the new qoologic scan) and I will review them when they come in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Alane

Alane
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 07 July 2005 - 01:04 PM

MERGE LOG:


"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


FIX LOG:

L2Mfix 1.03

Running From:
C:\Documents and Settings\User\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\User\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\User\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1932 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1296 'rundll32.exe'
Killing PID 1296 'rundll32.exe'
Killing PID 1296 'rundll32.exe'
Killing PID 1296 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\acmparse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\acmparse.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dalay.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dalay.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnskperf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dnskperf.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dunet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dunet.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gliplus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\gliplus.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hbui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hbui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iefosoft.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iefosoft.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iUsacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iUsacct.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jnsd400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jnsd400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jsbexec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\jsbexec.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kddgkl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kddgkl.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kfdgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kfdgr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\maltus35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\maltus35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdxbse35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mdxbse35.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjiqtz32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mjiqtz32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbtlogon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\nbtlogon.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oebcint.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oebcint.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oeeprn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\oeeprn.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ripsnd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ripsnd.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rzutils.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\rzutils.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smprv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\smprv.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swndmail.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swndmail.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SZRT01.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\SZRT01.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\usandlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\usandlg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\acmparse.dll
Successfully Deleted: C:\WINDOWS\system32\acmparse.dll
deleting: C:\WINDOWS\system32\acmparse.dll
Successfully Deleted: C:\WINDOWS\system32\acmparse.dll
deleting: C:\WINDOWS\system32\dalay.dll
Successfully Deleted: C:\WINDOWS\system32\dalay.dll
deleting: C:\WINDOWS\system32\dalay.dll
Successfully Deleted: C:\WINDOWS\system32\dalay.dll
deleting: C:\WINDOWS\system32\dnskperf.dll
Successfully Deleted: C:\WINDOWS\system32\dnskperf.dll
deleting: C:\WINDOWS\system32\dnskperf.dll
Successfully Deleted: C:\WINDOWS\system32\dnskperf.dll
deleting: C:\WINDOWS\system32\dunet.dll
Successfully Deleted: C:\WINDOWS\system32\dunet.dll
deleting: C:\WINDOWS\system32\dunet.dll
Successfully Deleted: C:\WINDOWS\system32\dunet.dll
deleting: C:\WINDOWS\system32\gliplus.dll
Successfully Deleted: C:\WINDOWS\system32\gliplus.dll
deleting: C:\WINDOWS\system32\gliplus.dll
Successfully Deleted: C:\WINDOWS\system32\gliplus.dll
deleting: C:\WINDOWS\system32\hbui.dll
Successfully Deleted: C:\WINDOWS\system32\hbui.dll
deleting: C:\WINDOWS\system32\hbui.dll
Successfully Deleted: C:\WINDOWS\system32\hbui.dll
deleting: C:\WINDOWS\system32\iefosoft.dll
Successfully Deleted: C:\WINDOWS\system32\iefosoft.dll
deleting: C:\WINDOWS\system32\iefosoft.dll
Successfully Deleted: C:\WINDOWS\system32\iefosoft.dll
deleting: C:\WINDOWS\system32\iUsacct.dll
Successfully Deleted: C:\WINDOWS\system32\iUsacct.dll
deleting: C:\WINDOWS\system32\iUsacct.dll
Successfully Deleted: C:\WINDOWS\system32\iUsacct.dll
deleting: C:\WINDOWS\system32\jnsd400.dll
Successfully Deleted: C:\WINDOWS\system32\jnsd400.dll
deleting: C:\WINDOWS\system32\jnsd400.dll
Successfully Deleted: C:\WINDOWS\system32\jnsd400.dll

//Hallelujia!
deleting: C:\WINDOWS\system32\jsbexec.dll
Successfully Deleted: C:\WINDOWS\system32\jsbexec.dll
deleting: C:\WINDOWS\system32\jsbexec.dll
Successfully Deleted: C:\WINDOWS\system32\jsbexec.dll
deleting: C:\WINDOWS\system32\kddgkl.dll
Successfully Deleted: C:\WINDOWS\system32\kddgkl.dll
deleting: C:\WINDOWS\system32\kddgkl.dll
Successfully Deleted: C:\WINDOWS\system32\kddgkl.dll
deleting: C:\WINDOWS\system32\kfdgr.dll
Successfully Deleted: C:\WINDOWS\system32\kfdgr.dll
deleting: C:\WINDOWS\system32\kfdgr.dll
Successfully Deleted: C:\WINDOWS\system32\kfdgr.dll
deleting: C:\WINDOWS\system32\maltus35.dll
Successfully Deleted: C:\WINDOWS\system32\maltus35.dll
deleting: C:\WINDOWS\system32\maltus35.dll
Successfully Deleted: C:\WINDOWS\system32\maltus35.dll
deleting: C:\WINDOWS\system32\mdxbse35.dll
Successfully Deleted: C:\WINDOWS\system32\mdxbse35.dll
deleting: C:\WINDOWS\system32\mdxbse35.dll
Successfully Deleted: C:\WINDOWS\system32\mdxbse35.dll
deleting: C:\WINDOWS\system32\mjiqtz32.dll
Successfully Deleted: C:\WINDOWS\system32\mjiqtz32.dll
deleting: C:\WINDOWS\system32\mjiqtz32.dll
Successfully Deleted: C:\WINDOWS\system32\mjiqtz32.dll
deleting: C:\WINDOWS\system32\nbtlogon.dll
Successfully Deleted: C:\WINDOWS\system32\nbtlogon.dll
deleting: C:\WINDOWS\system32\nbtlogon.dll
Successfully Deleted: C:\WINDOWS\system32\nbtlogon.dll
deleting: C:\WINDOWS\system32\oebcint.dll
Successfully Deleted: C:\WINDOWS\system32\oebcint.dll
deleting: C:\WINDOWS\system32\oebcint.dll
Successfully Deleted: C:\WINDOWS\system32\oebcint.dll
deleting: C:\WINDOWS\system32\oeeprn.dll
Successfully Deleted: C:\WINDOWS\system32\oeeprn.dll
deleting: C:\WINDOWS\system32\oeeprn.dll
Successfully Deleted: C:\WINDOWS\system32\oeeprn.dll
deleting: C:\WINDOWS\system32\ripsnd.dll
Successfully Deleted: C:\WINDOWS\system32\ripsnd.dll
deleting: C:\WINDOWS\system32\ripsnd.dll
Successfully Deleted: C:\WINDOWS\system32\ripsnd.dll
deleting: C:\WINDOWS\system32\rzutils.dll
Successfully Deleted: C:\WINDOWS\system32\rzutils.dll
deleting: C:\WINDOWS\system32\rzutils.dll
Successfully Deleted: C:\WINDOWS\system32\rzutils.dll
deleting: C:\WINDOWS\system32\smprv.dll
Successfully Deleted: C:\WINDOWS\system32\smprv.dll
deleting: C:\WINDOWS\system32\smprv.dll
Successfully Deleted: C:\WINDOWS\system32\smprv.dll
deleting: C:\WINDOWS\system32\swndmail.dll
Successfully Deleted: C:\WINDOWS\system32\swndmail.dll
deleting: C:\WINDOWS\system32\swndmail.dll
Successfully Deleted: C:\WINDOWS\system32\swndmail.dll
deleting: C:\WINDOWS\system32\SZRT01.dll
Successfully Deleted: C:\WINDOWS\system32\SZRT01.dll
deleting: C:\WINDOWS\system32\SZRT01.dll
Successfully Deleted: C:\WINDOWS\system32\SZRT01.dll
deleting: C:\WINDOWS\system32\usandlg.dll
Successfully Deleted: C:\WINDOWS\system32\usandlg.dll
deleting: C:\WINDOWS\system32\usandlg.dll
Successfully Deleted: C:\WINDOWS\system32\usandlg.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp


Zipping up files for submission:
adding: acmparse.dll (164 bytes security) (deflated 48%)
adding: dalay.dll (164 bytes security) (deflated 48%)
adding: dnskperf.dll (164 bytes security) (deflated 48%)
adding: dunet.dll (164 bytes security) (deflated 48%)
adding: gliplus.dll (164 bytes security) (deflated 48%)
adding: hbui.dll (164 bytes security) (deflated 48%)
adding: iefosoft.dll (164 bytes security) (deflated 48%)
adding: iUsacct.dll (164 bytes security) (deflated 48%)
adding: jnsd400.dll (164 bytes security) (deflated 48%)
adding: jsbexec.dll (164 bytes security) (deflated 48%)
adding: kddgkl.dll (164 bytes security) (deflated 48%)
adding: kfdgr.dll (164 bytes security) (deflated 48%)
adding: maltus35.dll (164 bytes security) (deflated 48%)
adding: mdxbse35.dll (164 bytes security) (deflated 48%)
adding: mjiqtz32.dll (164 bytes security) (deflated 48%)
adding: nbtlogon.dll (164 bytes security) (deflated 48%)
adding: oebcint.dll (164 bytes security) (deflated 48%)
adding: oeeprn.dll (164 bytes security) (deflated 48%)
adding: ripsnd.dll (164 bytes security) (deflated 48%)
adding: rzutils.dll (164 bytes security) (deflated 48%)
adding: smprv.dll (164 bytes security) (deflated 48%)
adding: swndmail.dll (164 bytes security) (deflated 48%)
adding: SZRT01.dll (164 bytes security) (deflated 48%)
adding: usandlg.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 22%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 89%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 60%)
adding: test.txt (164 bytes security) (deflated 90%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 87%)
adding: backregs/F7F7F293-5F1A-4EE6-9762-96455BC8F3FE.reg (164 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 87%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: acmparse.dll
deleting local copy: acmparse.dll
deleting local copy: dalay.dll
deleting local copy: dalay.dll
deleting local copy: dnskperf.dll
deleting local copy: dnskperf.dll
deleting local copy: dunet.dll
deleting local copy: dunet.dll
deleting local copy: gliplus.dll
deleting local copy: gliplus.dll
deleting local copy: hbui.dll
deleting local copy: hbui.dll
deleting local copy: iefosoft.dll
deleting local copy: iefosoft.dll
deleting local copy: iUsacct.dll
deleting local copy: iUsacct.dll
deleting local copy: jnsd400.dll
deleting local copy: jnsd400.dll
deleting local copy: jsbexec.dll
deleting local copy: jsbexec.dll
deleting local copy: kddgkl.dll
deleting local copy: kddgkl.dll
deleting local copy: kfdgr.dll
deleting local copy: kfdgr.dll
deleting local copy: maltus35.dll
deleting local copy: maltus35.dll
deleting local copy: mdxbse35.dll
deleting local copy: mdxbse35.dll
deleting local copy: mjiqtz32.dll
deleting local copy: mjiqtz32.dll
deleting local copy: nbtlogon.dll
deleting local copy: nbtlogon.dll
deleting local copy: oebcint.dll
deleting local copy: oebcint.dll
deleting local copy: oeeprn.dll
deleting local copy: oeeprn.dll
deleting local copy: ripsnd.dll
deleting local copy: ripsnd.dll
deleting local copy: rzutils.dll
deleting local copy: rzutils.dll
deleting local copy: smprv.dll
deleting local copy: smprv.dll
deleting local copy: swndmail.dll
deleting local copy: swndmail.dll
deleting local copy: SZRT01.dll
deleting local copy: SZRT01.dll
deleting local copy: usandlg.dll
deleting local copy: usandlg.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\acmparse.dll
C:\WINDOWS\system32\acmparse.dll
C:\WINDOWS\system32\dalay.dll
C:\WINDOWS\system32\dalay.dll
C:\WINDOWS\system32\dnskperf.dll
C:\WINDOWS\system32\dnskperf.dll
C:\WINDOWS\system32\dunet.dll
C:\WINDOWS\system32\dunet.dll
C:\WINDOWS\system32\gliplus.dll
C:\WINDOWS\system32\gliplus.dll
C:\WINDOWS\system32\hbui.dll
C:\WINDOWS\system32\hbui.dll
C:\WINDOWS\system32\iefosoft.dll
C:\WINDOWS\system32\iefosoft.dll
C:\WINDOWS\system32\iUsacct.dll
C:\WINDOWS\system32\iUsacct.dll
C:\WINDOWS\system32\jnsd400.dll
C:\WINDOWS\system32\jnsd400.dll
C:\WINDOWS\system32\jsbexec.dll
C:\WINDOWS\system32\jsbexec.dll
C:\WINDOWS\system32\kddgkl.dll
C:\WINDOWS\system32\kddgkl.dll
C:\WINDOWS\system32\kfdgr.dll
C:\WINDOWS\system32\kfdgr.dll
C:\WINDOWS\system32\maltus35.dll
C:\WINDOWS\system32\maltus35.dll
C:\WINDOWS\system32\mdxbse35.dll
C:\WINDOWS\system32\mdxbse35.dll
C:\WINDOWS\system32\mjiqtz32.dll
C:\WINDOWS\system32\mjiqtz32.dll
C:\WINDOWS\system32\nbtlogon.dll
C:\WINDOWS\system32\nbtlogon.dll
C:\WINDOWS\system32\oebcint.dll
C:\WINDOWS\system32\oebcint.dll
C:\WINDOWS\system32\oeeprn.dll
C:\WINDOWS\system32\oeeprn.dll
C:\WINDOWS\system32\ripsnd.dll
C:\WINDOWS\system32\ripsnd.dll
C:\WINDOWS\system32\rzutils.dll
C:\WINDOWS\system32\rzutils.dll
C:\WINDOWS\system32\smprv.dll
C:\WINDOWS\system32\smprv.dll
C:\WINDOWS\system32\swndmail.dll
C:\WINDOWS\system32\swndmail.dll
C:\WINDOWS\system32\SZRT01.dll
C:\WINDOWS\system32\SZRT01.dll
C:\WINDOWS\system32\usandlg.dll
C:\WINDOWS\system32\usandlg.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{F7F7F293-5F1A-4EE6-9762-96455BC8F3FE}"=-
[-HKEY_CLASSES_ROOT\CLSID\{F7F7F293-5F1A-4EE6-9762-96455BC8F3FE}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


QOOLOGIC FIND RESULTS:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* qoologic C:\WINDOWS\System32\WEB2_212.EXE
* KavSvc C:\WINDOWS\System32\WEB2_212.EXE
* KavSvc C:\WINDOWS\System32\EYOONYO.DLL
* KavSvc C:\WINDOWS\System32\PNHHONH.DLL
* KavSvc C:\WINDOWS\System32\RGQQI.DLL
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\QGBBW.DAT
* aspack C:\WINDOWS\System32\CXRRDXR.EXE
* aspack C:\WINDOWS\System32\KLNNHL.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\WEB2_212.EXE
* aspack C:\WINDOWS\System32\D3DX9D~1.DLL
* aspack C:\WINDOWS\System32\D3DX9_25.DLL
* aspack C:\WINDOWS\System32\D3DX9_26.DLL
* aspack C:\WINDOWS\System32\EYOONYO.DLL
* aspack C:\WINDOWS\System32\NTDLL.DLL
* aspack C:\WINDOWS\System32\RGQQI.DLL
* aspack C:\WINDOWS\System32\SUPDATE.DLL
* aspack C:\WINDOWS\System32\REDIT.CPL
* UPX! C:\WINDOWS\System32\POP2.EXE
* UPX! C:\WINDOWS\System32\THIN-1~1.EXE
* UPX! C:\WINDOWS\System32\VULMCPH.EXE
* UPX! C:\WINDOWS\System32\PNHHONH.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\CERES.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini

User Startup:
C:\Documents and Settings\User\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gsttmstf
<NO NAME> REG_SZ {4e406370-b719-420b-8872-34a181f29185}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Hex Editor
<NO NAME> REG_SZ {6B28C27B-8A75-4DB1-A08A-86C8CCEC3AF3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SecureDocMenu
<NO NAME> REG_SZ {59403EC0-EA55-11d5-954A-9A53884D6E09}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin



the l2m fix got rid of the main thing it seems, I'll wait for your advice on cleaning the QOOLOGIC as you are the first pro I've spoken to who knows what they're doing! I'm still getting some popups, but as we speak, Ad-Aware has found 135+ files on the PC, some of which I'm sure are listed in the quoologic find. I can see the light at the end of the tunnel, so thank you so much. Like I said, I'll wait for your advice before removing any of the qoologic files that Ad-Aware doesn't

#8 Alane

Alane
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 07 July 2005 - 01:11 PM

Just noticed something though, the problem with klnnhl.exe is still there, it still shows up as an active process running from c:\windows\system32\klnnhl.exe however the file is still not there, my folder options show hidden files and do not hide critical system files. Sorry if I'm giving too much information, but I think it's better to give too much than to not give enough.

Edit: nevermind. Apparently when the process is running, it's hiding the file from the OS. I had suspected as much earlier, but forgot to refresh the explorer window after killing the process. I've successfully deleted klnnhl.exe- I hope.

Edit again: nevermind, even after deleting the file, something is recreating it. I guess it's the qoologic (WEB_212.exe)? at any rate I'll just wait.

Edited by Alane, 07 July 2005 - 01:20 PM.


#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:36 PM

Posted 07 July 2005 - 06:46 PM

Hi Alane. Yes, this was a pretty good infection. We have removed the first half so now let's go and get the second half. Believe me, there is a light out there somewhere haha.
  • Download the Pocket Killbox.
  • Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the option Delete on Reboot
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\System32\WEB2_212.EXE
      C:\WINDOWS\System32\EYOONYO.DLL
      C:\WINDOWS\System32\PNHHONH.DLL
      C:\WINDOWS\System32\RGQQI.DLL
      C:\WINDOWS\System32\SUPDATE.DLL
      C:\WINDOWS\System32\QGBBW.DAT
      C:\WINDOWS\System32\CXRRDXR.EXE
      C:\WINDOWS\System32\KLNNHL.EXE
      C:\WINDOWS\System32\EYOONYO.DLL
      C:\WINDOWS\System32\RGQQI.DLL
      C:\WINDOWS\System32\REDIT.CPL
      C:\WINDOWS\System32\POP2.EXE
      C:\WINDOWS\System32\THIN-1~1.EXE
      C:\WINDOWS\System32\VULMCPH.EXE
      C:\WINDOWS\System32\PNHHONH.DLL
      C:\WINDOWS\BUDDY.EXE
      C:\WINDOWS\CERES.DLL
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
  • After your system reboots, open Notepad and copy/paste the text in the quotebox below into the new document

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gsttmstf]
[-HKEY_CLASSES_ROOT\CLSID\{4e406370-b719-420b-8872-34a181f29185}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4e406370-b719-420b-8872-34a181f29185}]

  • Save the document to your desktop as fixqoo.reg and close Notepad. Locate the fixqoo.reg file on your desktop and right-click on it
  • Choose Merge from the popup menu and answer Yes or Ok to any further prompts
  • Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:
    • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\klnnhl.exe reg_run
      O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\jnsd400.dll
  • Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
  • Reboot and post a new HijackThis log along with a new Find-Qoologic2.bat log
I will review the new information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 Alane

Alane
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 07 July 2005 - 09:42 PM

Ok, somehow my first post tonight didn't make it to the board.

I tried what you said, to the letter, however there was a program in the startup folder called dupp.exe when the computer returned from reboot, it regenerated most of the files that were deleted. I did attempt to post, but must have forgotten to submit, sorry.

also I noticed that the system process wuauclt.exe appeared twice on task manager. One was killable. Also to note, dllhost.exe was running.

I ran Find-Qoologic again and deleted the files that were left (the ones you recommended that is,) with killbox. I also added dupp.exe from the all users\...\startup folder. After reboot, I merged the entries you posted again.

Now the computer is apparently clean of qoologic(but I'll happily leave that judgement to you), however there's still a very minor problem. dllhost.exe is still around, as is the second copy of wuauclt.exe
(at least on startup) also these two entries cannot be removed from the registry:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Here's the last log of find-qoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\D3DX9D~1.DLL
* aspack C:\WINDOWS\System32\D3DX9_25.DLL
* aspack C:\WINDOWS\System32\D3DX9_26.DLL
* aspack C:\WINDOWS\System32\NTDLL.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini

User Startup:
C:\Documents and Settings\User\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Hex Editor
<NO NAME> REG_SZ {6B28C27B-8A75-4DB1-A08A-86C8CCEC3AF3}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SecureDocMenu
<NO NAME> REG_SZ {59403EC0-EA55-11d5-954A-9A53884D6E09}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin


Oh yeah, I guess my HJT log didn't show up either, so I'll post my newest one as well:

Logfile of HijackThis v1.99.1
Scan saved at 10:36:56 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\cmd.exe (from the qoologic.bat)
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Desktop\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {88B507F9-C6B2-45CC-AAB6-720A652DE11C} (TenOfTen Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://everquest2.station.sony.com/beta_reg/soesysinfo.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - https://help.verizon.net/hstwebinstall/web/...tWebInstall.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Edit: OK now there's a MAJOR new problem - I can't access any secure websites. I haven't really done anything else to cause this.

Edited by Alane, 08 July 2005 - 10:16 AM.


#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:36 PM

Posted 09 July 2005 - 08:49 PM

Hi Alane. Other than the 2 entries listed below to remove the log looks good. The 2 files you mentioned (dllhost.exe and wuauclt.exe) are both valid Windows processes. Do NOT delete or remove them or you will have some problems.

Now, let's remove the remaining 2 problem HijackThis items.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 Alane

Alane
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 09 July 2005 - 10:35 PM

Please listen:

the two registry entries I mentioned CANNOT be removed, they replace themselves automatically. in safe mode or normal mode.

Also I CANNOT access secure websites.

And I'm still getting popups- even when I leave my computer idle for hours with IE closed.

Fully updated ad-aware and virus scans don't pick up anything.

I might be clean of qoologic, but I've still got something serious going on here.. I have to be able to access secure sites.. Especially if you ever want a paypal donation ;)

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:36 PM

Posted 12 July 2005 - 10:23 AM

Hi Alane. Those 2 registry entries aren't bad. We just routinely clean them up for housekeeping purposes.

To restore the default search assistant do this:

Open Notepad and copy/paste the text in the quotebox below into the new document:

Option Explicit

Dim WSHShell, n, MyBox, p, itemtype, Title, vbdefaultbutton

Set WSHShell = WScript.CreateObject("WScript.Shell")
p = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\"
p = p & "Use Search Asst"
itemtype = "REG_SZ"
n = "yes"

WSHShell.RegWrite p, n, itemtype
Title = "The Search Assistant is now enabled." & vbCR
Title = Title & "You may need to Log off/Log on" & vbCR
Title = Title & "For the change to take effect."
MyBox = MsgBox(Title,64,"Finished")


Save the document to your desktop as searchasst.vbs and close Notepad. Locate the searchasst.vbs file on your desktop and double-click on it. Follow the prompts to reset the search assistant settings.

Here is a link dealing with secure site access issues. Follow the suggestions there for repairing secure site access:

http://www.duxcw.com/faq/win/xp/secure.htm

There is nothing showing in any logs or scans regarding infections or malware. Try a scan with ewido and see what it turns up:

Download and install ewido security suite. Update the program and then close it.

Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users