Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon.exe Making Kerio Say "intrusion Attempt Blocked," All The Time


  • This topic is locked This topic is locked
2 replies to this topic

#1 sylense

sylense

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 28 August 2006 - 06:32 PM

Ok, so glad people like you are in one place. i have been having some major issues with trojans, spyware ,

malware ect. i've ran several fixers including spyware doctor, ewido, lavasoft adware se personal,

winantivirus pro which i paid fifty bucks for only to find out after looking around when it failed during

installation that it is not legitimate, so i uninstalled. my internet explorer (which i do not use, i use

firefox)constantly pops up with link to nowhere since i have kerio firewall set to deny all i.e launches. i have

this blinking yellow triangle with a black exclamation point in startup tray where it displays the time. bubble

comes out of it telling how i got this or that and to click on it. everytime i run a clean up program it comes up

with new things and i ve been doing it several times a day.i think my myspace account even got stole

because of all this, which i realize isn't important in the spectrum of things but for security reasons i'm uneasy

to learn this. i turn off my modem when i'm not directly on line , trying to cut off any things tryin to do stuff

when i'm not around. i'm at my witts ends here shy off burning what i need and reformatting the disk. man

plz help here is my hijackthis report. i know i have several things not right that i know of scared to know how

many more things are wrong. i really want to get the winlog thing fixed(my fire wall pops up a message

stating that winlogexe is a blocked intruder' well kerio blocked it and says it is an intrusion;) and i know the

ishost,ismon and others are not suppose to be there just cant get rid of them. thank you in advance for taking

the time to help me with this.~jessica aka sylense

Logfile of HijackThis v1.99.1
Scan saved at 12:58:42 PM, on 8/23/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\gearsec.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\ishost.exe
C:\WINNT\System32\ismon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\6b50dca6.exe
C:\WINNT\thiselt.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\DOCUME~1\SYLENS~1.SKU\MYDOCU~1\ASKS~1\wuaclt.exe
C:\WINNT\W?nSxS\?ttrib.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\issearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\TEMP\win1B.tmp.exe
C:\WINNT\System32\mdm.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [6b50dca6.exe] C:\WINNT\System32\6b50dca6.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [owq5e3cf] RUNDLL32.EXE w30f5b10.dll,n 0035e3cc0000000230f5b10
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "-embedding [url="http://iesettingsupdate""]http://iesettingsupdate"[/url]
O4 - HKCU\..\Run: [6b50dca6.exe] C:\Documents and Settings\Sylense P. Skunk\Local Settings\Application Data\6b50dca6.exe
O4 - HKCU\..\Run: [Etcn] "C:\DOCUME~1\SYLENS~1.SKU\MYDOCU~1\ASKS~1\wuaclt.exe" -vt yazr
O4 - HKCU\..\Run: [Aqdjlx] C:\WINNT\W?nSxS\?ttrib.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINNT\System32\urroxtl.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe



hey quick edit. i also ran combofix heres that too while were at it.Sylense P. Skunk - Mon 08/28/2006 19:38:13.56
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Sylense P. Skunk\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\Duce6.exe
C:\WINNT\tool3.exe
C:\WINNT\tool4.exe
C:\WINNT\tool5.exe
C:\WINNT\system32\ishost.exe
C:\WINNT\system32\ismon.exe
C:\WINNT\system32\isnotify.exe
C:\WINNT\system32\issearch.exe
C:\WINNT\justin.exe
C:\WINNT\thiselt.exe
C:\WINNT\uninst104.exe
C:\WINNT\uninstall_nmon.vbs
C:\WINNT\system32\ixt0.dll
C:\WINNT\system32\ixt1.dll
C:\WINNT\system32\ixt2.dll
C:\WINNT\system32\ixt3.dll
C:\WINNT\system32\ixt4.dll
C:\Documents and Settings\Default User.WINNT\Application Data\NetMon
C:\Documents and Settings\sylense1\My Documents\New Folder\Win98\tools\reskit\netadmin\netmon
C:\Program Files\Cowabanga
C:\Program Files\Inetget2
C:\Program Files\Common Files\{D84926EA-0725-1033-1125-030821030001}
C:\WINNT\system32\ishost.exe
C:\WINNT\system32\ismon.exe
C:\WINNT\system32\isnotify.exe
C:\WINNT\system32\issearch.exe
C:\WINNT\thiselt.exe
C:\WINNT\system32\ixt4.dll
C:\WINNT\system32\components

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\YMANTE~1
C:\QooBox\Purity\WINNT\WNSXS~1
C:\QooBox\Purity\WINNT\WNSXS~1\?ttrib.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-28 to 2006-08-28 ))))))))))))))))))))))))))))))))))


2006-08-27 00:40 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2006-08-27 00:40 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2006-08-27 00:40 106,496 --a------ C:\WINNT\system32\atl71.dll
2006-08-27 00:40 1,060,864 --a------ C:\WINNT\system32\mfc71.dll
2006-08-27 00:33 923,872 ---hs---- C:\WINNT\system32\ggjlm.bak2
2006-08-25 04:40 24,576 --a------ C:\WINNT\system32\STKIT432.DLL
2006-08-25 04:18 51,754 --a------ C:\WINNT\g59556531.dll
2006-08-24 11:16 925,177 ---hs---- C:\WINNT\system32\ggjlm.ini2
2006-08-23 18:15 19,456 --a------ C:\WINNT\system32\ixt4.dll
2006-08-23 14:37 78,378 --a------ C:\WINNT\g1269750.dll
2006-08-22 20:27 658,432 --a------ C:\WINNT\is-0I1B2.exe
2006-08-22 03:21 61,952 --a------ C:\WINNT\system32\owq5e3cf.dll
2006-08-22 03:21 29,696 --a------ C:\WINNT\system32\w30f5b10.dll
2006-08-22 03:21 214,748 --a------ C:\WINNT\Setup90.exe
2006-08-22 03:21 2,560 --a------ C:\WINNT\ac3_0002.exe
2006-08-22 03:21 1,233 --a------ C:\WINNT\system32\owq5e3cf.sys
2006-08-22 03:20 36,864 --a------ C:\WINNT\thiselt.exe
2006-08-22 03:15 13,844 --a------ C:\WINNT\system32\ymcypadi.exe
2006-08-22 03:14 573,492 ---hs---- C:\WINNT\system32\mljgg.dll
2006-08-22 03:10 8,820 --a------ C:\WINNT\system32\isnotify.exe
2006-08-22 03:10 5,120 --a------ C:\WINNT\system32\ismon.exe
2006-08-22 03:10 40,973 ---hs---- C:\WINNT\system32\wvurqnn.dll
2006-08-22 03:10 34,832 --a------ C:\WINNT\system32\ishost.exe
2006-08-22 03:10 30,720 --a------ C:\WINNT\system32\issearch.exe
2006-08-22 03:10 18,944 --a------ C:\WINNT\system32\winjks32.dll
2006-08-22 03:10 13,312 --a------ C:\WINNT\system32\6b50dca6.exe
2006-08-21 11:36 78,848 --a------ C:\WINNT\system32\nsi20.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-28 19:49 -------- d-a------ C:\Program Files\Common Files
2006-08-28 18:58 -------- d-a------ C:\Program Files\Mozilla Firefox
2006-08-28 04:01 -------- d-------- C:\Documents and Settings\Sylense P. Skunk\Application Data\Registry Booster
2006-08-28 03:49 -------- d-------- C:\Program Files\Uniblue
2006-08-27 01:43 -------- d-------- C:\Program Files\SysProtect Free
2006-08-27 01:17 -------- d-------- C:\Program Files\Sunbelt Software
2006-08-27 01:12 -------- d-a------ C:\Program Files\Kerio
2006-08-27 00:54 -------- d-------- C:\Program Files\Common Files\Companion Wizard
2006-08-26 15:02 -------- d-------- C:\Program Files\FinePixViewer
2006-08-25 04:40 -------- d-------- C:\Program Files\Registry Mechanic
2006-08-23 18:26 -------- d-a------ C:\Program Files\Internet Explorer
2006-08-23 18:01 -------- d-a------ C:\Program Files\Windows Media Player
2006-08-23 18:01 -------- d-------- C:\Program Files\Adaptec
2006-08-23 17:48 -------- d-a------ C:\Program Files\Spyware Doctor
2006-08-22 19:08 -------- d-------- C:\Program Files\The Weather Channel FW
2006-08-22 17:28 -------- d-a------ C:\Program Files\NSA Software
2006-08-16 12:56 -------- d-a------ C:\Program Files\mIRC
2006-07-25 02:18 -------- d---s---- C:\Documents and Settings\Sylense P. Skunk\Application Data\Microsoft
2006-07-18 13:54 -------- d-a------ C:\Program Files\Call of Duty
2006-07-18 12:02 91672 --a------ C:\WINNT\system32\drivers\khips.sys
2006-07-18 12:02 284184 --a------ C:\WINNT\system32\drivers\fwdrv.sys
2006-07-12 12:07 -------- d-a------ C:\Program Files\Common Files\Adaptec Shared
2006-07-08 00:23 -------- d-------- C:\Program Files\Freeze.com
2006-07-02 01:15 -------- d-------- C:\Documents and Settings\Sylense P. Skunk\Application Data\wsInspector
2006-07-02 00:40 271 ---h----- C:\Program Files\desktop.ini
2006-07-02 00:40 21952 ---h-c--- C:\Program Files\folder.htt
2006-07-02 00:40 0 ---h-c--- C:\CONFIG.SYS
2006-07-02 00:40 0 ---h-c--- C:\AUTOEXEC.BAT
2006-07-02 00:39 -------- d-a------ C:\Program Files\Outlook Express
2006-07-02 00:39 -------- d-a------ C:\Program Files\NetMeeting
2006-07-02 00:39 -------- d-a------ C:\Program Files\Common Files\System
2006-07-02 00:39 -------- d-a------ C:\Program Files\Common Files\Services
2006-07-02 00:09 -------- d-a------ C:\Program Files\Windows NT
2006-06-28 02:27 57344 --a------ C:\WINNT\uneng.exe
2006-06-19 14:38 53248 --a------ C:\WINNT\uni_ehhhh.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"owq5e3cf"="RUNDLL32.EXE w30f5b10.dll,n 0035e3cc0000000230f5b10"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aqdjlx"="C:\\WINNT\\W?nSxS\\?ttrib.exe"
"Uniblue Registry Booster"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000001
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{259BA022-2005-45E9-A965-10EDB9C00618}"="Windowz Updater"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\h618
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjks32


Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\RoxioUpdator.job

Completion time: Mon 2006-08-28 19:52:17.85
ComboFix.txt

Edited by sylense, 28 August 2006 - 07:01 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:20 AM

Posted 31 August 2006 - 11:06 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

There really is no way to secure your computer without first patching and updating Windows to close numerous security holes in your current system. Please visit Windows Update and install SP4.

http://windowsupdate.microsoft.com/

Once you have done that, please post a fresh hijackthis log back here as a reply in this thread.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:20 AM

Posted 15 September 2006 - 06:11 PM

As there has been no response, and this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users