Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - persistent ads, hosts


  • This topic is locked This topic is locked
15 replies to this topic

#1 ehoss

ehoss

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 02 December 2004 - 03:09 PM

Hi, I'm a complete newbie to this forum. In fact I've never posted in any forum, but I've searched through the entries in many of them.

To get to the point, I am having problems with persistent advertisement websites popping up whenever I open IE or Firefox, and sometimes even when I don't open them. I've run Adaware, Spybot, and AVG in safe mode, disabled many startup programs, and have repeatedly deleted entries using HJT - all to no avail. As you can see the hosts keep coming back, too (seconds after having been deleted)!

Below is my HJT log - I would appreciate any help anyone can offer. Thanks in advance!


Logfile of HijackThis v1.98.2
Scan saved at 2:34:22 PM, on 12/2/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\HijackThis\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\Software\..\Telephony: DomainName = nappaneewindow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nappaneewindow.local

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:13 PM

Posted 03 December 2004 - 06:43 AM

Hi

Please stand by. There is no fix for this new infection yet.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 ehoss

ehoss
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 06 December 2004 - 09:27 AM

cryo, thanks for the response!

I just now thought that maybe I should let you know that I have been checking back to see if anything else has been posted yet. I keep hoping to find that you've got this type of infection figured out, but I also know that these things can take time.

Thanks to everyone who is working on this one!

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:13 PM

Posted 06 December 2004 - 03:06 PM

Hi

1. Download VX2Finder from this link:
http://downloads.subratam.org/VX2Finder(126).exe
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.


2. Download this ZIP file

and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.



3. Please download DllCompare from here
If you get a 404 Error send me a PM with your email please. I'll send you the file. There is no other place where you can download this file.

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, click on the Compare button. When that completed click on the Make Log of What Was Found button. Then post the contents of that log as a reply to this post.

Only if you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.


4. Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.

Edited by cryo, 06 December 2004 - 03:07 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 ehoss

ehoss
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 07 December 2004 - 11:32 AM

Cryo, I followed your instructions and here are the vx2, findit, and dllcompare logs. I also checked for the Guard.tmp file in c:\windows\system32 but did not find it (I made sure to make all files visible first). Thanks!



vx2 log:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
App Management
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{FF886FD1-0802-49D5-A8B8-ECE8C80F20D6}


vx2_hosts log:

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.igetnet.com
127.0.0.1 code.ignphrases.com
127.0.0.1 clear-search.com
127.0.0.1 r1.clrsch.com
127.0.0.1 sds.clrsch.com
127.0.0.1 status.clrsch.com
127.0.0.1 www.clrsch.com
127.0.0.1 clr-sch.com
127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
69.20.16.183 auto.search.msn.com
69.20.16.183 search.netscape.com
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch
69.20.16.183 ieautosearch


FindIt log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/07/2004 07:07 AM 225,772 ndhtml.dll
12/07/2004 07:07 AM 223,159 gp0ul3d91.dll
12/06/2004 03:59 PM 225,728 k0no0a53ed.dll
12/06/2004 07:02 AM 225,772 g4400ehmeh4a0.dll
12/02/2004 03:32 PM 224,342 ptlmon.dll
12/01/2004 05:32 PM 223,924 p68qlgl516q.dll
12/01/2004 05:06 PM <DIR> dllcache
12/01/2004 04:24 PM 223,924 hr8m05l1e.dll
12/01/2004 04:04 PM 223,924 j40sled71h0.dll
12/01/2004 03:58 PM 223,924 q6nulg5916.dll
12/01/2004 03:56 PM 223,080 j40s0ed7eh0.dll
12/01/2004 02:32 PM 222,610 axpmgr.dll
12/01/2004 02:16 PM 224,659 sdtupapi.dll
12/01/2004 02:14 PM 223,677 mlcbase.dll
12/01/2004 12:22 PM 225,357 dvraw.dll
11/30/2004 04:01 PM 223,633 dn0401dqe.dll
02/12/2003 06:30 AM <DIR> Microsoft
15 File(s) 3,363,485 bytes
2 Dir(s) 33,085,730,816 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/01/2004 05:06 PM <DIR> dllcache
11/30/2004 02:38 PM <DIR> GroupPolicy
02/12/2003 06:04 AM 488 logonui.exe.manifest
02/12/2003 06:04 AM 488 WindowsLogon.manifest
02/12/2003 06:04 AM 749 wuaucpl.cpl.manifest
02/12/2003 06:04 AM 749 cdplayer.exe.manifest
02/12/2003 06:04 AM 749 sapi.cpl.manifest
02/12/2003 06:04 AM 749 ncpa.cpl.manifest
02/12/2003 06:04 AM 749 nwc.cpl.manifest
7 File(s) 4,721 bytes
2 Dir(s) 33,085,730,816 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

08/29/2002 07:00 AM 599,040 wininet.dll.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
2 File(s) 601,617 bytes
0 Dir(s) 33,085,726,720 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF886FD1-0802-49D5-A8B8-ECE8C80F20D6}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Management]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\g4400ehmeh4a0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINDOWS\System32\G4400E~1.DLL +++ File read error

-------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
axpmgr.dll Wed Dec 1 2004 2:32:30p ..S.R 222,610 217.39 K
dn0401~1.dll Tue Nov 30 2004 4:01:20p ..S.R 223,633 218.39 K
dvraw.dll Wed Dec 1 2004 12:22:50p ..S.R 225,357 220.07 K
g4400e~1.dll Mon Dec 6 2004 7:02:54a ..S.R 225,772 220.48 K
gp0ul3~1.dll Tue Dec 7 2004 7:07:42a ..S.R 223,159 217.93 K
hr8m05~1.dll Wed Dec 1 2004 4:24:28p ..S.R 223,924 218.68 K
j40s0e~1.dll Wed Dec 1 2004 3:56:52p ..S.R 223,080 217.85 K
j40sle~1.dll Wed Dec 1 2004 4:04:38p ..S.R 223,924 218.68 K
k0no0a~1.dll Mon Dec 6 2004 3:59:56p ..S.R 225,728 220.44 K
mlcbase.dll Wed Dec 1 2004 2:14:46p ..S.R 223,677 218.43 K
ndhtml.dll Tue Dec 7 2004 7:07:42a ..S.R 225,772 220.48 K
p68qlg~1.dll Wed Dec 1 2004 5:32:02p ..S.R 223,924 218.68 K
ptlmon.dll Thu Dec 2 2004 3:32:18p ..S.R 224,342 219.08 K
q6nulg~1.dll Wed Dec 1 2004 3:58:48p ..S.R 223,924 218.68 K
sdtupapi.dll Wed Dec 1 2004 2:17:00p ..S.R 224,659 219.39 K

15 items found: 15 files, 0 directories.
Total of file sizes: 3,363,485 bytes 3.21 M


Dll Compare log:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\axpmgr.dll Wed Dec 1 2004 2:32:30p ..S.R 222,610 217.39 K
C:\WINDOWS\SYSTEM32\dn0401~1.dll Tue Nov 30 2004 4:01:20p ..S.R 223,633 218.39 K
C:\WINDOWS\SYSTEM32\dvraw.dll Wed Dec 1 2004 12:22:50p ..S.R 225,357 220.07 K
C:\WINDOWS\SYSTEM32\g4400e~1.dll Mon Dec 6 2004 7:02:54a ..S.R 225,772 220.48 K
C:\WINDOWS\SYSTEM32\gp0ul3~1.dll Tue Dec 7 2004 7:07:42a ..S.R 223,159 217.93 K
C:\WINDOWS\SYSTEM32\hr8m05~1.dll Wed Dec 1 2004 4:24:28p ..S.R 223,924 218.68 K
C:\WINDOWS\SYSTEM32\j40s0e~1.dll Wed Dec 1 2004 3:56:52p ..S.R 223,080 217.85 K
C:\WINDOWS\SYSTEM32\j40sle~1.dll Wed Dec 1 2004 4:04:38p ..S.R 223,924 218.68 K
C:\WINDOWS\SYSTEM32\k0no0a~1.dll Mon Dec 6 2004 3:59:56p ..S.R 225,728 220.44 K
C:\WINDOWS\SYSTEM32\mlcbase.dll Wed Dec 1 2004 2:14:46p ..S.R 223,677 218.43 K
C:\WINDOWS\SYSTEM32\ndhtml.dll Tue Dec 7 2004 7:07:42a ..S.R 225,772 220.48 K
C:\WINDOWS\SYSTEM32\p68qlg~1.dll Wed Dec 1 2004 5:32:02p ..S.R 223,924 218.68 K
C:\WINDOWS\SYSTEM32\ptlmon.dll Thu Dec 2 2004 3:32:18p ..S.R 224,342 219.08 K
C:\WINDOWS\SYSTEM32\q6nulg~1.dll Wed Dec 1 2004 3:58:48p ..S.R 223,924 218.68 K
C:\WINDOWS\SYSTEM32\sdtupapi.dll Wed Dec 1 2004 2:17:00p ..S.R 224,659 219.39 K
________________________________________________

1,310 items found: 1,310 files (15 H/S), 0 directories.
Total of file sizes: 268,474,573 bytes 256.04 M

Administrator Account = True

--------------------End log---------------------

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:13 PM

Posted 07 December 2004 - 01:31 PM

Hi

Disconnect from the internet.

Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


When that finishes, copy and paste each of the following lines into the Full Path of File to Delete box in Killbox, and click the red button with the white X on it after each.

After each file press the Delete button (the button that looks like a red circle with a white X in it).

Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM32\axpmgr.dll

C:\WINDOWS\SYSTEM32\dn0401dqe.dll

C:\WINDOWS\SYSTEM32\dvraw.dll

C:\WINDOWS\SYSTEM32\g4400ehmeh4a0.dll

C:\WINDOWS\SYSTEM32\gp0ul3d91.dll

C:\WINDOWS\SYSTEM32\hr8m05l1e.dll

C:\WINDOWS\SYSTEM32\j40s0ed7eh0.dll

C:\WINDOWS\SYSTEM32\j40sled71h0.dll

C:\WINDOWS\SYSTEM32\k0no0a53ed.dll

C:\WINDOWS\SYSTEM32\mlcbase.dll

C:\WINDOWS\SYSTEM32\ndhtml.dll

C:\WINDOWS\SYSTEM32\p68qlgl516q.dll

C:\WINDOWS\SYSTEM32\ptlmon.dll

C:\WINDOWS\SYSTEM32\q6nulg5916.dll

C:\WINDOWS\SYSTEM32\sdtupapi.dll


C:\Windows\System32\Guard.tmp


For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".


Click Start, Run and type cmd. Press OK.

A DOS window will open.

Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Close the window and REBOOT.

Check if the Recycle Bin is OK. Create an empty TXT file and delete it.


Run again Find.bat, DLLCompare and HijackThis and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 ehoss

ehoss
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 07 December 2004 - 05:21 PM

OK, here are the new logs.

Find.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/01/2004 05:06 PM <DIR> dllcache
02/12/2003 06:30 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 33,062,277,120 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/01/2004 05:06 PM <DIR> dllcache
11/30/2004 02:38 PM <DIR> GroupPolicy
02/12/2003 06:04 AM 488 logonui.exe.manifest
02/12/2003 06:04 AM 488 WindowsLogon.manifest
02/12/2003 06:04 AM 749 wuaucpl.cpl.manifest
02/12/2003 06:04 AM 749 cdplayer.exe.manifest
02/12/2003 06:04 AM 749 sapi.cpl.manifest
02/12/2003 06:04 AM 749 ncpa.cpl.manifest
02/12/2003 06:04 AM 749 nwc.cpl.manifest
7 File(s) 4,721 bytes
2 Dir(s) 33,062,277,120 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/07/2004 04:08 PM 225,772 guard.tmp
1 File(s) 225,772 bytes
0 Dir(s) 33,062,273,024 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/07/2004 04:08 PM 225,772 guard.tmp
08/29/2002 07:00 AM 599,040 wininet.dll.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
3 File(s) 827,389 bytes
0 Dir(s) 33,062,273,024 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF886FD1-0802-49D5-A8B8-ECE8C80F20D6}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp0ul3d91.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


No matches found.


DLLCompare:

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :thumbsup:"
________________________________________________

1,295 items found: 1,295 files, 0 directories.
Total of file sizes: 265,111,088 bytes 252.83 M

Administrator Account = True

--------------------End log---------------------


HJT:

Logfile of HijackThis v1.97.7
Scan saved at 5:16:09 PM, on 12/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\ICQ\ICQNet.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\system32\SahAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\deniset.NWDOMAIN1\My Documents\Downloads\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\system32\SahAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bargain-buddy.net/cashback/cab/..._VENTURAMK3.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\Software\..\Telephony: DomainName = nappaneewindow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nappaneewindow.local

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:13 PM

Posted 07 December 2004 - 05:43 PM

One is alive :thumbsup:

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\guard.tmp

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

Run again FindIt.bat and Hijackthis and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 ehoss

ehoss
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 07 December 2004 - 06:12 PM

OK, here are the latest logs...

Findit:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/01/2004 05:06 PM <DIR> dllcache
02/12/2003 06:30 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 33,059,606,528 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

12/01/2004 05:06 PM <DIR> dllcache
11/30/2004 02:38 PM <DIR> GroupPolicy
02/12/2003 06:04 AM 488 logonui.exe.manifest
02/12/2003 06:04 AM 488 WindowsLogon.manifest
02/12/2003 06:04 AM 749 wuaucpl.cpl.manifest
02/12/2003 06:04 AM 749 cdplayer.exe.manifest
02/12/2003 06:04 AM 749 sapi.cpl.manifest
02/12/2003 06:04 AM 749 ncpa.cpl.manifest
02/12/2003 06:04 AM 749 nwc.cpl.manifest
7 File(s) 4,721 bytes
2 Dir(s) 33,059,606,528 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is GreenHouse
Volume Serial Number is B8F3-4FE0

Directory of C:\WINDOWS\System32

08/29/2002 07:00 AM 599,040 wininet.dll.tmp
08/29/2002 07:00 AM 2,577 CONFIG.TMP
2 File(s) 601,617 bytes
0 Dir(s) 33,059,602,432 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF886FD1-0802-49D5-A8B8-ECE8C80F20D6}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gp0ul3d91.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


No matches found.


HJT:

Logfile of HijackThis v1.97.7
Scan saved at 6:11:13 PM, on 12/7/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\ICQ\ICQNet.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\system32\SahAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\deniset.NWDOMAIN1\My Documents\Downloads\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\system32\SahAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bargain-buddy.net/cashback/cab/..._VENTURAMK3.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\Software\..\Telephony: DomainName = nappaneewindow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nappaneewindow.local

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:13 PM

Posted 07 December 2004 - 06:52 PM

Please uninstall from Add\Remove Programs: ShopAtHomeSelect Agent


:inlove: Click on start, the run, and type services.msc and press the OK button. When the Services control panel opens, scroll through the list looking for a service called ISEXEng. If that service exists, double-click on it, and change the startup to disabled and stop the service.


:thumbsup: Next, open Notepad, copy and paste the below contents in the quote box and "Save As" removeit.reg. In the "Save as type" select: All files and save the file to your desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ISEXEng]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ISEXENG]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ISEXEng]


We will use this above registry file later in the fix.


:) Download Ad-Aware SE from the following location:

Ad-aware download location

After installing Ad-Aware SE and before you scan with it, you must update the program. Please run the program and update it and install the latest reference files. Do not scan with it now as we will do that later in the fix.

You can read this tutorial for step-by-step instructions on how to update and use this program:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.


:trumpet: Please fix the following entries in HijackThis:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll


O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\system32\SahAgent.exe

O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://www.bargain-buddy.net/cashback/cab/..._VENTURAMK3.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab



:flowers: Reboot your computer into Safe Mode and delete the following files:

C:\WINDOWS\system32\nvms.dll <-- this file
C:\WINDOWS\system32\mscb.dll <-- this file
C:\WINDOWS\system32\msbe.dll <-- this file
C:\WINDOWS\System32\angelex.exe <-- this file
C:\WINDOWS\system32\SahAgent.exe <-- this file

Delete these folders:
C:\Program Files\CashBack\ <-- this folder
C:\Program Files\BullsEye Network\ <-- this folder
C:\Program Files\NaviSearch\ <-- this folder
C:\Program Files\VBouncer\ <-- this folder

:idea: Now we want to the run the registry file created previously. Double-click on the removeit.reg file and when it asks if you would like to merge the information, press the OK or Yes button.


:cool: Now start Ad-Aware and scan your computer for spyware and other malware. If it finds anything fix them.


:bike: When you are done scanning with Ad-aware, reboot your computer into normal mode and post a new log.

Edited by cryo, 07 December 2004 - 06:53 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 ehoss

ehoss
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 08 December 2004 - 07:49 AM

Cryo, it looks like you got this thing figured out. Below is my HJT log.

Also, here are some notes on what I saw/did, in case they are helpful for future cases: I did not see ISEXEng service in step 1. In step 5, I did not find the files nvms.dll, mscb.dll, msbe.dll, and SahAgent.exe. In step 6, I was actually asked if I wanted to "add" the information to the registry and I clicked "Yes". I ran AdAware SE and Spybot S&D, and there is a DSO Exploit that keeps coming back that Spybot can't seem to fix (and AdAware doesn't find), but other than that things look very good now.

Assuming that this is the last post, I want to say a big "Thank You!" for all your help and patience! Blessings to you and the others on the HJT Team as you continue your work! Thanks again!



Current HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 7:35:19 AM, on 12/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SED\SED.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\system32\userinit.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DONT_USE_kalvsys] C:\windows\system32\kalvdnv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\Software\..\Telephony: DomainName = nappaneewindow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nappaneewindow.local

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:13 PM

Posted 08 December 2004 - 08:08 AM

DSO Exploit that keeps coming back that Spybot can't seem to fix

This is a bug in SS&D. Ignore it :thumbsup:.

This trojan is still on your computer:
O4 - HKLM\..\Run: [DONT_USE_kalvsys] C:\windows\system32\kalvdnv32.exe

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

Perform a full scan here: BitDefender Free Online Virus Scan
Follow the instructions on the screen.
Tick all the boxes on the left and let him remove anything it findes.

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O4 - HKLM\..\Run: [DONT_USE_kalvsys] C:\windows\system32\kalvdnv32.exe

Close all other windows and browsers, and press the Fix Checked button.

Delete all files like this: kalv*****.exe in the C:\windows\system32\ folder.

REBOOT normally and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 ehoss

ehoss
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 08 December 2004 - 09:07 AM

OK, here's the latest log. BitDefender found no viruses. I had to delete 7 kalv*.exe files from c:\windows\system32\. All of them were dated in 2001 or 2002, which surprised me. Anyway, here's the HJT log...


Logfile of HijackThis v1.98.2
Scan saved at 9:02:29 AM, on 12/8/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\avgagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SED\SED.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\Software\..\Telephony: DomainName = nappaneewindow.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nappaneewindow.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nappaneewindow.local

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:12:13 PM

Posted 08 December 2004 - 09:18 AM

WOW

Your log looks clean :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected?, With steps so it does not happen again!

Glad I was able to help.

Last Windows SP2 critical update: December, 01
Update also your Sun Java, last version = 1.4.2_06: J2SE v 1.4.2_06 JRE

Use an alternative browser: visit www.mozilla. org
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 ehoss

ehoss
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 08 December 2004 - 10:10 AM

WOW is right! Thank you, thank you! I don't know what I'd have done without your help! :thumbsup:

Thank you also for the preventive steps. You guys are the best!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users