Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with a bad HiJACK


  • Please log in to reply
2 replies to this topic

#1 Spyrus

Spyrus

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 December 2004 - 05:29 PM

Ok i have been reading this thread
http://www.bleepingcomputer.com/forums/ind...=15&#entry40571
and is looking like the problem I might have.

I have copies of my logs for you
VX2 LOG
Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
MediaContentIndex
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{80544F0F-75D0-4488-BA6C-D9C5DE088212}

OTHER LOG *************************************************
12/08/2004 04:23 PM 223,161 mgpmsnsv.dll
12/08/2004 04:22 PM 222,756 n68olgl316q.dll
12/08/2004 03:40 PM 222,756 sgayerxp.dll
12/08/2004 03:38 PM 223,161 en82l1lo1.dll
12/08/2004 03:30 PM 223,161 rVstapi.dll
12/08/2004 03:08 PM 222,756 SFLFREG.DLL
12/08/2004 02:54 PM 223,161 krdhe.dll
12/08/2004 02:42 PM 222,756 njshrui.dll
12/08/2004 12:23 PM 223,130 qgdwipes.dll
12/08/2004 11:46 AM 222,756 nswmsdrm.dll
12/08/2004 11:46 AM 223,851 irr0l59m1.dll
12/08/2004 11:02 AM 630 TBPS.ini
12/07/2004 07:02 PM 222,660 p64ulgh9164.dll
12/03/2004 05:41 PM 226,154 kgdbu.dll
12/03/2004 02:53 PM 226,154 uprdtea.dll
12/03/2004 02:42 PM 224,687 mvencode.dll
12/03/2004 02:37 PM 224,687 kvdfi.dll
12/03/2004 02:36 PM 223,003 g4jo0e13eh.dll
12/03/2004 02:18 PM 223,003 ns4_disp.dll
12/03/2004 02:14 PM 223,003 rlgapi.dll
12/03/2004 02:13 PM 223,452 irp0l57m1.dll
12/03/2004 02:05 PM 223,452 ooe2.dll
12/03/2004 01:58 PM 223,003 pbrfnet.dll
12/03/2004 12:45 PM 223,558 agicap32.dll
12/03/2004 10:44 AM 223,003 mjidle.dll
12/03/2004 10:37 AM 223,003 dilay.dll
12/03/2004 09:27 AM 226,179 enjsl1171.dll
12/02/2004 09:28 PM 226,179 nlshrui.dll
12/02/2004 05:32 PM 224,664 ckmuid.dll
12/02/2004 04:48 PM 224,525 xhlprovi.dll
12/02/2004 04:10 PM 226,074 le32.dll
12/02/2004 03:47 PM 224,525 nkevent.dll
12/02/2004 02:58 PM 226,074 ioaksie.dll
12/02/2004 01:56 PM 224,525 kndusr.dll
12/02/2004 01:13 PM <DIR> Microsoft
12/02/2004 12:20 PM 224,100 vnscript.dll
12/01/2004 08:49 PM 222,630 westream.dll
12/01/2004 08:31 PM 225,804 oetext32.dll
12/01/2004 07:53 PM 224,985 swreamci.dll
12/01/2004 05:02 PM 223,846 pjgfilt.dll
12/01/2004 04:59 PM 222,595 mxglibnt.dll
12/01/2004 04:25 PM 225,887 nddsapi.dll
12/01/2004 03:58 PM 224,531 mblbui.dll
12/01/2004 02:33 PM 225,406 ssdoclc.dll
11/30/2004 07:21 PM 224,531 dGha32.dll
11/30/2004 07:10 PM 225,776 ir42l5ho1.dll
11/23/2004 02:23 AM 3,347 exozp.txt
11/18/2004 02:35 PM 7,305 fwwxc.dat
11/10/2004 08:19 PM 99,253 d3ha32.dll
11/04/2004 10:27 AM 385,024 w?nspool.exe
10/24/2002 08:12 PM <DIR> dllcache
49 File(s) 10,354,622 bytes
2 Dir(s) 35,747,495,936 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive D has no label.
Volume Serial Number is 1328-1100

Directory of D:\WINDOWS\System32

11/23/2004 02:23 AM 3,347 exozp.txt
11/18/2004 02:35 PM 7,305 fwwxc.dat
11/10/2004 08:19 PM 99,253 d3ha32.dll
11/04/2004 10:27 AM 385,024 w?nspool.exe
10/24/2002 08:36 PM 488 WindowsLogon.manifest
10/24/2002 08:36 PM 488 logonui.exe.manifest
10/24/2002 08:36 PM 749 wuaucpl.cpl.manifest
10/24/2002 08:36 PM 749 cdplayer.exe.manifest
10/24/2002 08:36 PM 749 sapi.cpl.manifest
10/24/2002 08:36 PM 749 nwc.cpl.manifest
10/24/2002 08:36 PM 749 ncpa.cpl.manifest
10/24/2002 08:12 PM <DIR> dllcache
11 File(s) 499,650 bytes
1 Dir(s) 35,747,463,168 bytes free

---------- Files Named "Guard" -------------

Volume in drive D has no label.
Volume Serial Number is 1328-1100

Directory of D:\WINDOWS\System32

12/08/2004 04:46 PM 223,161 guard.tmp
1 File(s) 223,161 bytes
0 Dir(s) 35,747,430,400 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive D has no label.
Volume Serial Number is 1328-1100

Directory of D:\WINDOWS\System32

12/08/2004 04:46 PM 223,161 guard.tmp
08/03/2004 11:56 PM 1,236,480 ~GLH001a.TMP
08/03/2004 11:56 PM 1,236,480 ~GLH0015.TMP
08/23/2001 12:00 PM 2,577 CONFIG.TMP
4 File(s) 2,698,698 bytes
0 Dir(s) 35,747,397,632 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{80544F0F-75D0-4488-BA6C-D9C5DE088212}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MediaContentIndex]
"Asynchronous"=dword:00000000
"DllName"="D:\\WINDOWS\\system32\\en82l1lo1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

Hope you guys can help asap thanks

BC AdBot (Login to Remove)

 


#2 Spyrus

Spyrus
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 08 December 2004 - 06:02 PM

sorry for the double post but.. I meant to add that when I run tcpview.exe a program from sysinternals i get a file called rundll32.exe that is connecting to the following IP:

69.20.20.161

Also winlogon.exe is connecting to it too

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 16 December 2004 - 12:11 PM

Hi Spyrus,

Sorry it took so long to get to you--we look for zero replies to posts so you got missed for a while. If you are still having problems and haven't gotten help elsewhere please resubmit new logs. The file names will changed everytime you reboot. Also please submit a HijackThis log.

Also have a look at the following thread and submit an AdAware log in a seperate post (because it's so long) when it's set up as per those instructions.
http://www.bleepingcomputer.com/forums/fin...6513-43367.html

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users