Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - JRoth - Work


  • Please log in to reply
23 replies to this topic

#1 jrothca

jrothca

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 02 December 2004 - 07:42 PM

IE pop-ups even when IE is not running. The most common pop-ups are:

ad1.revenue.net
Search Results for poker online
****** System Warning !
banners.pennyweb.com

Here's my Log file:

Logfile of HijackThis v1.98.2
Scan saved at 4:24:15 PM, on 12/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\mmups.exe
C:\WINNT\system32\yiskkr.exe
C:\WINNT\system32\prvtect.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\system32\prvtect.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\explorer.exe
C:\ColorBurst_731_HP\ColorBurst 7.31.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Employee Folders\Justin\Spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmik32.exe
O4 - HKCU\..\Run: [prvtect] C:\WINNT\system32\prvtect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5100F20A-F821-4361-93F3-1DD17EA3FF6A}: NameServer = 204.97.212.10,199.2.252.10

Edited by jrothca, 02 December 2004 - 10:28 PM.


BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:28 PM

Posted 03 December 2004 - 07:06 AM

Hi

Please stand by. There is no fix for this infection yet.

Please do me a favour. ZIP this file and send it here: [edited]@yahoo.com
C:\winnt\system32\kalvmik32.exe <-- this file

It seems to be a part of this infection and it will help us to find a fix.

Thank you

Edited by cryo, 18 December 2004 - 07:44 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 jrothca

jrothca
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 03 December 2004 - 03:17 PM

I did a search for this file kalvmik32.exe but the search results could not find the file. I also looked for it manually and it was not in the C:\winnt\system32\ directory. I ran HJT again to see if the file still exists in the log and it does. Here is the log again. Let me know if there is anything else I can do.

Logfile of HijackThis v1.98.2
Scan saved at 12:13:15 PM, on 12/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\yiskkr.exe
C:\WINNT\system32\prvtect.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\system32\prvtect.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\explorer.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmik32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [prvtect] C:\WINNT\system32\prvtect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5100F20A-F821-4361-93F3-1DD17EA3FF6A}: NameServer = 204.97.212.10,199.2.252.10

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:28 PM

Posted 03 December 2004 - 03:29 PM

Hi

Thanks, the file is protected and invisible.

Maybe you can find and send this file: C:\WINNT\system32\prvtect.exe <-- this file, make sure hidden files are visible


Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode


Run HijackThis!, press Scan, and put a check mark next to all these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKCU\..\Run: [prvtect] C:\WINNT\system32\prvtect.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.media-motor.net/cabs/diamond.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINNT\system32\prvtect.exe <-- this file

Empty the Recycle Bin. - Note: the recycle bin is damaged because the Look2me infection.

REBOOT normally and post a new log please.

Please stand by, a fix for Look2me will be soon available.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 jrothca

jrothca
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 03 December 2004 - 05:08 PM

I found and zipped the C:\WINNT\system32\prvtect.exe file. You should be getting the email of the attached file shortly. One thing I did notice is when I empty the recycle bin it always says that I have 39 files to be deleted even if I empty it back to back. Is that because of the Look2me infection? I followed your other instructions and here is my new log file.


Logfile of HijackThis v1.98.2
Scan saved at 2:05:59 PM, on 12/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\yiskkr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINNT\explorer.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvmik32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5100F20A-F821-4361-93F3-1DD17EA3FF6A}: NameServer = 204.97.212.10,199.2.252.10

Edited by jrothca, 03 December 2004 - 05:10 PM.


#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:28 PM

Posted 03 December 2004 - 05:20 PM

Thanks, the file is probably a backdoor, UPX packed. I will send it for the analysis.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:28 PM

Posted 06 December 2004 - 03:09 PM

Let's give a try to Zupe's method :thumbsup:.

1. Download VX2Finder from this link:
http://downloads.subratam.org/VX2Finder(126).exe
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.


2. Download this ZIP file

and unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.



3. Please download DllCompare from here
If you get a 404 Error send me a PM with your email please. I'll send you the file. There is no other place where you can download this file.

When it has downloaded, run the program and click on the Run Locate.com button. When that has completed, click on the Compare button. When that completed click on the Make Log of What Was Found button. Then post the contents of that log as a reply to this post.

Only if you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.


4. Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 jrothca

jrothca
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 06 December 2004 - 09:19 PM

cryo-

Whatever we did before the weekend helped slow down some of the attacks. Its seems that they are starting to come back slowly as time passes. And today there were 5 shortcuts that were added to the desktop from one of the attacks. I'm not sure when it happened though. I followed your instructions and the only thing I could not do was step number 3. I sent you the PM and am awaiting the email attachment of the program utility.

1. VX2Finder - Log

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
MCD
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

User Agent String---
{7B32D2B2-524A-4CA6-832B-88E707461336}


2. Find.bat - Log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/06/2004 06:00p 552 TBPS.ini
12/06/2004 05:54p 223,041 sonsapi.dll
12/06/2004 05:52p 223,014 lvls0937e.dll
12/06/2004 05:46p <DIR> dllcache
12/03/2004 05:46p 223,041 jt2007fme.dll
12/03/2004 01:50p 222,696 pqrfos.dll
12/03/2004 01:39p 225,679 rHsser.dll
12/02/2004 02:20p 225,679 wansta.dll
12/02/2004 12:55p 225,679 mtswch.dll
12/02/2004 12:55p 222,582 lv4s09h7e.dll
12/02/2004 11:19a 222,815 irj2l51o1.dll
11/30/2004 03:08p 225,621 l6j8lg1u16.dll
11/30/2004 09:28a 225,621 o0rola931d.dll
11/30/2004 09:10a 225,621 l08mlal11dq.dll
11/29/2004 02:01p 225,621 mvnol9531.dll
11/29/2004 01:52p 225,621 beowser.dll
11/29/2004 01:02p 224,802 k4080edueh080.dll
11/29/2004 12:54p 224,802 NFDLL.DLL
11/27/2004 11:45a 224,802 PbfPorts.dll
11/26/2004 04:02p 223,232 j60slgd7160.dll
11/25/2004 02:49a 223,875 fp4603hse.dll
05/14/2004 12:35p 32 {5A6ECA8F-C160-40AD-9B90-89C7FB72D9AC}.dat
05/14/2004 12:34p 32 {81E98C23-A1F6-46FC-89F0-90700C159934}.dat
05/14/2004 12:33p 32 {4760909A-B5C5-4020-8DC6-5548D3391D7A}.dat
05/14/2004 12:32p 32 {E2DAE607-DCC1-43B5-A19A-CA561552D4C2}.dat
05/14/2004 12:32p 32 {C9DA2155-6CF7-4862-B9A1-23D21EE59914}.dat
05/14/2004 12:32p 32 {60B2FA97-4F85-43AE-B9F5-952614406376}.dat
05/14/2004 12:31p 32 {E23E0153-451A-4828-BE4A-0CE020E0B519}.dat
27 File(s) 4,264,620 bytes
1 Dir(s) 3,329,044,480 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/06/2004 05:46p <DIR> dllcache
05/14/2004 12:35p 32 {5A6ECA8F-C160-40AD-9B90-89C7FB72D9AC}.dat
05/14/2004 12:34p 32 {81E98C23-A1F6-46FC-89F0-90700C159934}.dat
05/14/2004 12:33p 32 {4760909A-B5C5-4020-8DC6-5548D3391D7A}.dat
05/14/2004 12:32p 32 {E2DAE607-DCC1-43B5-A19A-CA561552D4C2}.dat
05/14/2004 12:32p 32 {C9DA2155-6CF7-4862-B9A1-23D21EE59914}.dat
05/14/2004 12:32p 32 {60B2FA97-4F85-43AE-B9F5-952614406376}.dat
05/14/2004 12:31p 32 {E23E0153-451A-4828-BE4A-0CE020E0B519}.dat
05/13/2004 07:49p <DIR> GroupPolicy
05/13/2004 07:43p 271 desktop.ini
05/13/2004 07:43p 21,692 folder.htt
9 File(s) 22,187 bytes
2 Dir(s) 3,329,036,288 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/07/1999 04:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,329,036,288 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7B32D2B2-524A-4CA6-832B-88E707461336}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\jt2007fme.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------

C:\WINNT\System32\JT2007~1.DLL +++ File read error

-------------- Locate.com Results ---------------


C:\WINNT\SYSTEM32\
beowser.dll Mon Nov 29 2004 1:52:18p ..S.R 225,621 220.33 K
fp4603~1.dll Thu Nov 25 2004 2:49:34a ..S.R 223,875 218.63 K
irj2l5~1.dll Thu Dec 2 2004 11:19:58a ..S.R 222,815 217.59 K
j60slg~1.dll Fri Nov 26 2004 4:02:36p ..S.R 223,232 218.00 K
jt2007~1.dll Fri Dec 3 2004 5:46:16p ..S.R 223,041 217.81 K
k4080e~1.dll Mon Nov 29 2004 1:02:20p ..S.R 224,802 219.53 K
l08mla~1.dll Tue Nov 30 2004 9:10:36a ..S.R 225,621 220.33 K
l6j8lg~1.dll Tue Nov 30 2004 3:08:36p ..S.R 225,621 220.33 K
lv4s09~1.dll Thu Dec 2 2004 12:55:54p ..S.R 222,582 217.36 K
lvls09~1.dll Mon Dec 6 2004 5:52:44p ..S.R 223,014 217.79 K
mtswch.dll Thu Dec 2 2004 12:55:54p ..S.R 225,679 220.39 K
mvnol9~1.dll Mon Nov 29 2004 2:01:18p ..S.R 225,621 220.33 K
nfdll.dll Mon Nov 29 2004 12:54:20p ..S.R 224,802 219.53 K
o0rola~1.dll Tue Nov 30 2004 9:28:30a ..S.R 225,621 220.33 K
pbfports.dll Sat Nov 27 2004 11:45:30a ..S.R 224,802 219.53 K
pqrfos.dll Fri Dec 3 2004 1:50:52p ..S.R 222,696 217.48 K
rhsser.dll Fri Dec 3 2004 1:39:44p ..S.R 225,679 220.39 K
sonsapi.dll Mon Dec 6 2004 5:54:54p ..S.R 223,041 217.81 K
tbps.ini Mon Dec 6 2004 6:00:18p ..S.R 552 0.54 K
wansta.dll Thu Dec 2 2004 2:20:20p ..S.R 225,679 220.39 K

20 items found: 20 files, 0 directories.
Total of file sizes: 4,264,396 bytes 4.07 M

3. I could not download the DllCompare Utility and I am awaiting an email with the attached file.

4. I don't have a System32 subfolder in c:\Windows\......But I did look in the c:\WINNT\System32\ and did NOT find a Guard.tmp file.

#9 jrothca

jrothca
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 07 December 2004 - 03:55 PM

1. VX2Finder

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
AtiExtEvent
crypt32chain
cryptnet
cscdll
Explorer
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

User Agent String---
{7B32D2B2-524A-4CA6-832B-88E707461336}

2. Find.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/07/2004 12:50p 551 TBPS.ini
12/07/2004 12:48p 223,014 LVHSVC.DLL
12/07/2004 12:48p 223,683 lv6609jse.dll
12/07/2004 12:41p 223,014 dhusic.dll
12/07/2004 12:41p 224,579 ir6ql5j51.dll
12/07/2004 12:33p 223,041 irl2l53o1.dll
12/06/2004 05:52p 223,014 lvls0937e.dll
12/06/2004 05:46p <DIR> dllcache
12/03/2004 01:50p 222,696 pqrfos.dll
12/03/2004 01:39p 225,679 rHsser.dll
12/02/2004 02:20p 225,679 wansta.dll
12/02/2004 12:55p 225,679 mtswch.dll
12/02/2004 12:55p 222,582 lv4s09h7e.dll
12/02/2004 11:19a 222,815 irj2l51o1.dll
11/30/2004 03:08p 225,621 l6j8lg1u16.dll
11/30/2004 09:28a 225,621 o0rola931d.dll
11/30/2004 09:10a 225,621 l08mlal11dq.dll
11/29/2004 02:01p 225,621 mvnol9531.dll
11/29/2004 01:52p 225,621 beowser.dll
11/29/2004 01:02p 224,802 k4080edueh080.dll
11/29/2004 12:54p 224,802 NFDLL.DLL
11/27/2004 11:45a 224,802 PbfPorts.dll
11/26/2004 04:02p 223,232 j60slgd7160.dll
11/25/2004 02:49a 223,875 fp4603hse.dll
05/14/2004 12:35p 32 {5A6ECA8F-C160-40AD-9B90-89C7FB72D9AC}.dat
05/14/2004 12:34p 32 {81E98C23-A1F6-46FC-89F0-90700C159934}.dat
05/14/2004 12:33p 32 {4760909A-B5C5-4020-8DC6-5548D3391D7A}.dat
05/14/2004 12:32p 32 {E2DAE607-DCC1-43B5-A19A-CA561552D4C2}.dat
05/14/2004 12:32p 32 {C9DA2155-6CF7-4862-B9A1-23D21EE59914}.dat
05/14/2004 12:32p 32 {60B2FA97-4F85-43AE-B9F5-952614406376}.dat
05/14/2004 12:31p 32 {E23E0153-451A-4828-BE4A-0CE020E0B519}.dat
30 File(s) 4,935,868 bytes
1 Dir(s) 2,808,950,784 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/06/2004 05:46p <DIR> dllcache
05/14/2004 12:35p 32 {5A6ECA8F-C160-40AD-9B90-89C7FB72D9AC}.dat
05/14/2004 12:34p 32 {81E98C23-A1F6-46FC-89F0-90700C159934}.dat
05/14/2004 12:33p 32 {4760909A-B5C5-4020-8DC6-5548D3391D7A}.dat
05/14/2004 12:32p 32 {E2DAE607-DCC1-43B5-A19A-CA561552D4C2}.dat
05/14/2004 12:32p 32 {C9DA2155-6CF7-4862-B9A1-23D21EE59914}.dat
05/14/2004 12:32p 32 {60B2FA97-4F85-43AE-B9F5-952614406376}.dat
05/14/2004 12:31p 32 {E23E0153-451A-4828-BE4A-0CE020E0B519}.dat
05/13/2004 07:49p <DIR> GroupPolicy
05/13/2004 07:43p 271 desktop.ini
05/13/2004 07:43p 21,692 folder.htt
9 File(s) 22,187 bytes
2 Dir(s) 2,808,946,688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/07/1999 04:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 2,808,946,688 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7B32D2B2-524A-4CA6-832B-88E707461336}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\lvls0937e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------

C:\WINNT\System32\LV6609~1.DLL +++ File read error

-------------- Locate.com Results ---------------


C:\WINNT\SYSTEM32\
beowser.dll Mon Nov 29 2004 1:52:18p ..S.R 225,621 220.33 K
dhusic.dll Tue Dec 7 2004 12:41:40p ..S.R 223,014 217.79 K
fp4603~1.dll Thu Nov 25 2004 2:49:34a ..S.R 223,875 218.63 K
ir6ql5~1.dll Tue Dec 7 2004 12:41:40p ..S.R 224,579 219.31 K
irj2l5~1.dll Thu Dec 2 2004 11:19:58a ..S.R 222,815 217.59 K
irl2l5~1.dll Tue Dec 7 2004 12:33:04p ..S.R 223,041 217.81 K
j60slg~1.dll Fri Nov 26 2004 4:02:36p ..S.R 223,232 218.00 K
k4080e~1.dll Mon Nov 29 2004 1:02:20p ..S.R 224,802 219.53 K
l08mla~1.dll Tue Nov 30 2004 9:10:36a ..S.R 225,621 220.33 K
l6j8lg~1.dll Tue Nov 30 2004 3:08:36p ..S.R 225,621 220.33 K
lv4s09~1.dll Thu Dec 2 2004 12:55:54p ..S.R 222,582 217.36 K
lv6609~1.dll Tue Dec 7 2004 12:48:52p ..S.R 223,683 218.44 K
lvhsvc.dll Tue Dec 7 2004 12:48:52p ..S.R 223,014 217.79 K
lvls09~1.dll Mon Dec 6 2004 5:52:44p ..S.R 223,014 217.79 K
mtswch.dll Thu Dec 2 2004 12:55:54p ..S.R 225,679 220.39 K
mvnol9~1.dll Mon Nov 29 2004 2:01:18p ..S.R 225,621 220.33 K
nfdll.dll Mon Nov 29 2004 12:54:20p ..S.R 224,802 219.53 K
o0rola~1.dll Tue Nov 30 2004 9:28:30a ..S.R 225,621 220.33 K
pbfports.dll Sat Nov 27 2004 11:45:30a ..S.R 224,802 219.53 K
pqrfos.dll Fri Dec 3 2004 1:50:52p ..S.R 222,696 217.48 K
rhsser.dll Fri Dec 3 2004 1:39:44p ..S.R 225,679 220.39 K
tbps.ini Tue Dec 7 2004 12:50:16p ..S.R 551 0.54 K
wansta.dll Thu Dec 2 2004 2:20:20p ..S.R 225,679 220.39 K

23 items found: 23 files, 0 directories.
Total of file sizes: 4,935,644 bytes 4.70 M


3. DllCompare

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\beowser.dll Mon Nov 29 2004 1:52:18p ..S.R 225,621 220.33 K
C:\WINNT\SYSTEM32\dhusic.dll Tue Dec 7 2004 12:41:40p ..S.R 223,014 217.79 K
C:\WINNT\SYSTEM32\fp4603~1.dll Thu Nov 25 2004 2:49:34a ..S.R 223,875 218.63 K
C:\WINNT\SYSTEM32\ir6ql5~1.dll Tue Dec 7 2004 12:41:40p ..S.R 224,579 219.31 K
C:\WINNT\SYSTEM32\irj2l5~1.dll Thu Dec 2 2004 11:19:58a ..S.R 222,815 217.59 K
C:\WINNT\SYSTEM32\irl2l5~1.dll Tue Dec 7 2004 12:33:04p ..S.R 223,041 217.81 K
C:\WINNT\SYSTEM32\j60slg~1.dll Fri Nov 26 2004 4:02:36p ..S.R 223,232 218.00 K
C:\WINNT\SYSTEM32\k4080e~1.dll Mon Nov 29 2004 1:02:20p ..S.R 224,802 219.53 K
C:\WINNT\SYSTEM32\l08mla~1.dll Tue Nov 30 2004 9:10:36a ..S.R 225,621 220.33 K
C:\WINNT\SYSTEM32\l6j8lg~1.dll Tue Nov 30 2004 3:08:36p ..S.R 225,621 220.33 K
C:\WINNT\SYSTEM32\lv4s09~1.dll Thu Dec 2 2004 12:55:54p ..S.R 222,582 217.36 K
C:\WINNT\SYSTEM32\lv6609~1.dll Tue Dec 7 2004 12:48:52p ..S.R 223,683 218.44 K
C:\WINNT\SYSTEM32\lvhsvc.dll Tue Dec 7 2004 12:48:52p ..S.R 223,014 217.79 K
C:\WINNT\SYSTEM32\lvls09~1.dll Mon Dec 6 2004 5:52:44p ..S.R 223,014 217.79 K
C:\WINNT\SYSTEM32\mtswch.dll Thu Dec 2 2004 12:55:54p ..S.R 225,679 220.39 K
C:\WINNT\SYSTEM32\mvnol9~1.dll Mon Nov 29 2004 2:01:18p ..S.R 225,621 220.33 K
C:\WINNT\SYSTEM32\nfdll.dll Mon Nov 29 2004 12:54:20p ..S.R 224,802 219.53 K
C:\WINNT\SYSTEM32\o0rola~1.dll Tue Nov 30 2004 9:28:30a ..S.R 225,621 220.33 K
C:\WINNT\SYSTEM32\pbfports.dll Sat Nov 27 2004 11:45:30a ..S.R 224,802 219.53 K
C:\WINNT\SYSTEM32\pqrfos.dll Fri Dec 3 2004 1:50:52p ..S.R 222,696 217.48 K
C:\WINNT\SYSTEM32\rhsser.dll Fri Dec 3 2004 1:39:44p ..S.R 225,679 220.39 K
C:\WINNT\SYSTEM32\wansta.dll Thu Dec 2 2004 2:20:20p ..S.R 225,679 220.39 K
________________________________________________

1,135 items found: 1,135 files (22 H/S), 0 directories.
Total of file sizes: 220,778,135 bytes 210.55 M

Administrator Account = True

--------------------End log---------------------


I have not restarted or logged off windows. Awaiting futher instructions, before I do anything.

Jroth

Edited by jrothca, 07 December 2004 - 03:57 PM.


#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:28 PM

Posted 07 December 2004 - 04:55 PM

Hi

Disconnect from the internet.

Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


When that finishes, copy and paste each of the following lines into the Full Path of File to Delete box in Killbox, and click the red button with the white X on it after each.

After each file press the Delete button (the button that looks like a red circle with a white X in it).

Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINNT\SYSTEM32\beowser.dll

C:\WINNT\SYSTEM32\dhusic.dll


C:\WINNT\SYSTEM32\fp4603hse.dll

C:\WINNT\SYSTEM32\ir6ql5j51.dll

C:\WINNT\SYSTEM32\irj2l51o1.dll

C:\WINNT\SYSTEM32\irl2l53o1.dll

C:\WINNT\SYSTEM32\j60slgd7160.dll

C:\WINNT\SYSTEM32\k4080edueh080.dll

C:\WINNT\SYSTEM32\l08mlal11dq.dll


C:\WINNT\SYSTEM32\l6j8lg1u16.dll

C:\WINNT\SYSTEM32\lv4s09h7e.dll

C:\WINNT\SYSTEM32\lv6609jse.dll

C:\WINNT\SYSTEM32\lvhsvc.dll

C:\WINNT\SYSTEM32\lvls0937e.dll

C:\WINNT\SYSTEM32\mtswch.dll

C:\WINNT\SYSTEM32\mvnol9531.dll

C:\WINNT\SYSTEM32\nfdll.dll

C:\WINNT\SYSTEM32\o0rola931d.dll

C:\WINNT\SYSTEM32\pbfports.dll

C:\WINNT\SYSTEM32\pqrfos.dll

C:\WINNT\SYSTEM32\rhsser.dll

C:\WINNT\SYSTEM32\wansta.dll

C:\WINNT\SYSTEM32\Guard.tmp



For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

Perform a full scan here: BitDefender Free Online Virus Scan
Follow the instructions on the screen.
Tick all the boxes on the left and let him remove anything it findes.

Run again Find.bat, DLLCompare and HijackThis and post the logs please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:28 PM

Posted 07 December 2004 - 05:03 PM

Download KillBox here: KillBox. Unzip it to your desktop.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#12 jrothca

jrothca
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 07 December 2004 - 05:16 PM

what's Killbox and where do I get it?

#13 jrothca

jrothca
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 07 December 2004 - 05:17 PM

sorry I did not look at the entire post I know what killbox is now

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:01:28 PM

Posted 07 December 2004 - 05:17 PM

Read my message above :thumbsup:. Sorry.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 jrothca

jrothca
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:28 PM

Posted 07 December 2004 - 07:26 PM

Hi-

I did the online virus scan and it found and removed some trojans; some could not be deleted though. I saved a log file of that virus scan if you would like to see it to help you diagnos. I ran the 3 scans and the logs are below.

1. find.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/07/2004 04:16p 554 TBPS.ini
12/07/2004 12:56p <DIR> dllcache
05/14/2004 12:35p 32 {5A6ECA8F-C160-40AD-9B90-89C7FB72D9AC}.dat
05/14/2004 12:34p 32 {81E98C23-A1F6-46FC-89F0-90700C159934}.dat
05/14/2004 12:33p 32 {4760909A-B5C5-4020-8DC6-5548D3391D7A}.dat
05/14/2004 12:32p 32 {E2DAE607-DCC1-43B5-A19A-CA561552D4C2}.dat
05/14/2004 12:32p 32 {C9DA2155-6CF7-4862-B9A1-23D21EE59914}.dat
05/14/2004 12:32p 32 {60B2FA97-4F85-43AE-B9F5-952614406376}.dat
05/14/2004 12:31p 32 {E23E0153-451A-4828-BE4A-0CE020E0B519}.dat
8 File(s) 778 bytes
1 Dir(s) 2,197,737,472 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/07/2004 12:56p <DIR> dllcache
05/14/2004 12:35p 32 {5A6ECA8F-C160-40AD-9B90-89C7FB72D9AC}.dat
05/14/2004 12:34p 32 {81E98C23-A1F6-46FC-89F0-90700C159934}.dat
05/14/2004 12:33p 32 {4760909A-B5C5-4020-8DC6-5548D3391D7A}.dat
05/14/2004 12:32p 32 {E2DAE607-DCC1-43B5-A19A-CA561552D4C2}.dat
05/14/2004 12:32p 32 {C9DA2155-6CF7-4862-B9A1-23D21EE59914}.dat
05/14/2004 12:32p 32 {60B2FA97-4F85-43AE-B9F5-952614406376}.dat
05/14/2004 12:31p 32 {E23E0153-451A-4828-BE4A-0CE020E0B519}.dat
05/13/2004 07:49p <DIR> GroupPolicy
05/13/2004 07:43p 271 desktop.ini
05/13/2004 07:43p 21,692 folder.htt
9 File(s) 22,187 bytes
2 Dir(s) 2,197,733,376 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/07/2004 02:52p 223,014 guard.tmp
1 File(s) 223,014 bytes
0 Dir(s) 2,197,733,376 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is A09A-2EAE

Directory of C:\WINNT\System32

12/07/2004 02:52p 223,014 guard.tmp
12/07/1999 04:00a 2,577 CONFIG.TMP
2 File(s) 225,591 bytes
0 Dir(s) 2,197,733,376 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{7B32D2B2-524A-4CA6-832B-88E707461336}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\lv6609jse.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


C:\WINNT\SYSTEM32\
tbps.ini Tue Dec 7 2004 4:16:44p ..S.R 554 0.54 K

1 item found: 1 file, 0 directories.
Total of file sizes: 554 bytes 0.54 K


2. DllCompare

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :thumbsup:"
________________________________________________

1,113 items found: 1,113 files, 0 directories.
Total of file sizes: 215,412,962 bytes 205.43 M

Administrator Account = True

--------------------End log---------------------

3. HiJackThis

Logfile of HijackThis v1.98.2
Scan saved at 4:25:22 PM, on 12/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SED\SED.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINNT\system32\yiqkkr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvrfe32.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5100F20A-F821-4361-93F3-1DD17EA3FF6A}: NameServer = 204.97.212.10,199.2.252.10
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users