Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Rockhead


  • Please log in to reply
12 replies to this topic

#1 Rockhead

Rockhead

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 10 December 2004 - 07:51 PM

Hi all,
I've run Spybot Search and Destroy (with all in depth search options listed on numerous help sites checked), Ad Aware, About Buster, LSPfix, etc.
As you can see from the log, I keep getting CRAP back (set explorer options to no hidden files, deleted items after booting in safe mode, etc), yet, for example, VBouncer is back again. I'm running XP, have updated that as well as all software above, running a firewall with Norton (2003 version though), as well as my D Link router - which keeps picking up outbound signals of winlogon.exe to a-d-w-a-r-e.com.

I have just updated my internet security options (as recommended on this site!), and just installed Spyware Blaster.

What do I need to get rid of below to be done with all this junk?

I thank any and all in advance with any possible help.



Logfile of HijackThis v1.98.2
Scan saved at 7:43:16 PM, on 9/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = htt
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.d2jsp.org:8000/java/cr.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

BC AdBot (Login to Remove)

 


#2 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:04 AM

Posted 10 December 2004 - 09:18 PM

Please download FindIt.zip to your desktop, unzip it, then double-click on it to run it.
It should run for a few seconds, then open a text document.
Please copy and paste the contents of that document here.
Once that's done, close the text file and then press a key and the batch file will clean up after itself and end.
=====================================
Next, please download DLL Compare to your desktop.
Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.

Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#3 Rockhead

Rockhead
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 10 December 2004 - 10:28 PM

Thanks Raw,
Here's the FIND IT text - FYI, Locate.com came back blank (after pop up stating The system file is not suitable for running MS-DOS and Winows applications. I clicked on ignore).

I did not find c:\Windows\System32\Guard.tmp, but there is a lot of CRAP in there that I can't delete that shares the date modified date as the spyware.

Waiting for the next step - Thanks Again!


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

09/10/2004 06:38 PM 223,634 kqdsmsfi.dll
09/10/2004 08:47 AM 223,871 k6800glme6qa0.dll
09/10/2004 02:20 AM 223,634 gpj0l31m1.dll
10/06/2002 10:56 PM 32 {FED696E2-3823-416B-94CF-D77874507BD3}.dat
10/06/2002 10:55 PM 32 {7264EB17-6BC2-4F06-BCD7-7A75A39A022A}.dat
10/06/2002 10:54 PM 32 {C97DEF23-129F-4F7B-B32D-199F7A961474}.dat
10/06/2002 10:53 PM 32 {7F9301F8-5639-4497-8BBE-7D2EFC648EDD}.dat
10/06/2002 10:53 PM 32 {A29C21BC-06A3-489E-8C2D-765F0582B4DB}.dat
10/06/2002 10:53 PM 32 {76CAC5F8-E47C-4672-A774-B0A3196F2EB3}.dat
10/06/2002 10:52 PM 32 {9A0755DF-A8D9-4DE8-A903-13BA98DC86CE}.dat
09/29/2002 09:28 PM <DIR> Microsoft
09/29/2002 08:48 PM <DIR> dllcache
10 File(s) 671,363 bytes
2 Dir(s) 23,960,322,048 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

10/06/2002 10:56 PM 32 {FED696E2-3823-416B-94CF-D77874507BD3}.dat
10/06/2002 10:55 PM 32 {7264EB17-6BC2-4F06-BCD7-7A75A39A022A}.dat
10/06/2002 10:54 PM 32 {C97DEF23-129F-4F7B-B32D-199F7A961474}.dat
10/06/2002 10:53 PM 32 {76CAC5F8-E47C-4672-A774-B0A3196F2EB3}.dat
10/06/2002 10:53 PM 32 {A29C21BC-06A3-489E-8C2D-765F0582B4DB}.dat
10/06/2002 10:53 PM 32 {7F9301F8-5639-4497-8BBE-7D2EFC648EDD}.dat
10/06/2002 10:52 PM 32 {9A0755DF-A8D9-4DE8-A903-13BA98DC86CE}.dat
09/29/2002 09:04 PM 488 logonui.exe.manifest
09/29/2002 09:04 PM 488 WindowsLogon.manifest
09/29/2002 09:03 PM 749 nwc.cpl.manifest
09/29/2002 09:03 PM 749 sapi.cpl.manifest
09/29/2002 09:03 PM 749 wuaucpl.cpl.manifest
09/29/2002 09:03 PM 749 cdplayer.exe.manifest
09/29/2002 09:03 PM 749 ncpa.cpl.manifest
09/29/2002 08:48 PM <DIR> dllcache
09/29/2002 08:29 PM 12,746 folder.htt
15 File(s) 17,691 bytes
1 Dir(s) 23,960,289,280 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

03/24/2003 03:18 PM 483,328 SETD.tmp
02/24/2003 01:32 PM 1,339,904 SETB.tmp
08/29/2002 07:14 AM 166,160 urlmon.dll.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
4 File(s) 1,991,969 bytes
0 Dir(s) 23,960,223,744 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{877CED62-63AB-4C3A-88A3-EB3438800DF4}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpj0l31m1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------



#4 Rockhead

Rockhead
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 11 December 2004 - 12:35 PM

Thanks for the follow up RAW, et al. Here's my new HJT Log, the Find it Output results, but the DLL compare results came back blank. No guard.tmp file in System32 folder, but Find It did delete a guard.txt file.


Logfile of HijackThis v1.98.2
Scan saved at 12:23:02 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\HJT\HijackThis.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = htt
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.d2jsp.org:8000/java/cr.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab




Find it Output...._____>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

09/10/2004 06:38 PM 223,634 kqdsmsfi.dll
09/10/2004 08:47 AM 223,871 k6800glme6qa0.dll
09/10/2004 02:20 AM 223,634 gpj0l31m1.dll
10/06/2002 10:56 PM 32 {FED696E2-3823-416B-94CF-D77874507BD3}.dat
10/06/2002 10:55 PM 32 {7264EB17-6BC2-4F06-BCD7-7A75A39A022A}.dat
10/06/2002 10:54 PM 32 {C97DEF23-129F-4F7B-B32D-199F7A961474}.dat
10/06/2002 10:53 PM 32 {7F9301F8-5639-4497-8BBE-7D2EFC648EDD}.dat
10/06/2002 10:53 PM 32 {A29C21BC-06A3-489E-8C2D-765F0582B4DB}.dat
10/06/2002 10:53 PM 32 {76CAC5F8-E47C-4672-A774-B0A3196F2EB3}.dat
10/06/2002 10:52 PM 32 {9A0755DF-A8D9-4DE8-A903-13BA98DC86CE}.dat
09/29/2002 09:28 PM <DIR> Microsoft
09/29/2002 08:48 PM <DIR> dllcache
10 File(s) 671,363 bytes
2 Dir(s) 23,925,784,576 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

10/06/2002 10:56 PM 32 {FED696E2-3823-416B-94CF-D77874507BD3}.dat
10/06/2002 10:55 PM 32 {7264EB17-6BC2-4F06-BCD7-7A75A39A022A}.dat
10/06/2002 10:54 PM 32 {C97DEF23-129F-4F7B-B32D-199F7A961474}.dat
10/06/2002 10:53 PM 32 {76CAC5F8-E47C-4672-A774-B0A3196F2EB3}.dat
10/06/2002 10:53 PM 32 {A29C21BC-06A3-489E-8C2D-765F0582B4DB}.dat
10/06/2002 10:53 PM 32 {7F9301F8-5639-4497-8BBE-7D2EFC648EDD}.dat
10/06/2002 10:52 PM 32 {9A0755DF-A8D9-4DE8-A903-13BA98DC86CE}.dat
09/29/2002 09:04 PM 488 logonui.exe.manifest
09/29/2002 09:04 PM 488 WindowsLogon.manifest
09/29/2002 09:03 PM 749 nwc.cpl.manifest
09/29/2002 09:03 PM 749 sapi.cpl.manifest
09/29/2002 09:03 PM 749 wuaucpl.cpl.manifest
09/29/2002 09:03 PM 749 cdplayer.exe.manifest
09/29/2002 09:03 PM 749 ncpa.cpl.manifest
09/29/2002 08:48 PM <DIR> dllcache
09/29/2002 08:29 PM 12,746 folder.htt
15 File(s) 17,691 bytes
1 Dir(s) 23,925,751,808 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

03/24/2003 03:18 PM 483,328 SETD.tmp
02/24/2003 01:32 PM 1,339,904 SETB.tmp
08/29/2002 07:14 AM 166,160 urlmon.dll.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
4 File(s) 1,991,969 bytes
0 Dir(s) 23,925,686,272 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{877CED62-63AB-4C3A-88A3-EB3438800DF4}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gpj0l31m1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------



#5 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:04 AM

Posted 11 December 2004 - 04:31 PM

Please print these instructions out as there are many steps and you will not have internet access.

=========================

Download KillBox Here.
Unzip it to your desktop.

=========================

Please copy the text in the box below into Notepad and save it to your desktop as Fix.reg:

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{877CED62-63AB-4C3A-88A3-EB3438800DF4}"=""



Close all open windows and disconnect from the internet.

After doing that, double click the Fix.reg file you saved, and answer Yes to merging it to the registry.

=====================================

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = htt
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cg...look=stmpl1&fw=
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

=========================

Start Killbox and click on Tools --> Select Delete Temp Files. Click OK.


When that finishes, copy and paste each of the following lines into the Full Path of File to Delete box in Killbox, and click the red button with the white X on it after each.

After each file press the Delete button (the button that looks like a red circle with a white X in it).

Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:



C:\Program Files\se\v11\se.EXE
C:\Program Files\VBouncer\BundleOuter.EXE
C:\WINDOWS\SYSTEM32\kqdsmsfi.dll
C:\WINDOWS\SYSTEM32\ k6800glme6qa0.dll
C:\WINDOWS\SYSTEM32\gpj0l31m1.dll
C:\WINNT\SYSTEM32\Guard.tmp



For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".


Check if your Recycle Bin is OK. Create an empty TXT file and delete it.

If the Recycle Bin is damaged:
Click Start, Run and type cmd. Press OK.

A DOS window will open.

Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Close the window and REBOOT.

Check if the Recycle Bin is OK. Please report back.


Run again Find.bat, DLLCompare and HijackThis and post the logs please.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:04 AM

Posted 12 December 2004 - 01:11 PM

Rockhead

When responding to a post from one of our HJT Team members, please reply in the same topic - click the Add Reply button. Do not create a new topic for your reply. This will cause confusion and a delay in the help you are receiving.

I merged your topics.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Rockhead

Rockhead
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 12 December 2004 - 10:27 PM

Cryo, thank you for the info, and for linking.
RAW, thanks for the help so far, here are the new Find.bat and Hihackthis logs. DLL Compare still gets nothing when I run it.


Directory of C:\WINDOWS\System32

10/06/2002 10:56 PM 32 {FED696E2-3823-416B-94CF-D77874507BD3}.dat
10/06/2002 10:55 PM 32 {7264EB17-6BC2-4F06-BCD7-7A75A39A022A}.dat
10/06/2002 10:54 PM 32 {C97DEF23-129F-4F7B-B32D-199F7A961474}.dat
10/06/2002 10:53 PM 32 {76CAC5F8-E47C-4672-A774-B0A3196F2EB3}.dat
10/06/2002 10:53 PM 32 {7F9301F8-5639-4497-8BBE-7D2EFC648EDD}.dat
10/06/2002 10:53 PM 32 {A29C21BC-06A3-489E-8C2D-765F0582B4DB}.dat
10/06/2002 10:52 PM 32 {9A0755DF-A8D9-4DE8-A903-13BA98DC86CE}.dat
09/29/2002 09:28 PM <DIR> Microsoft
09/29/2002 08:48 PM <DIR> dllcache
7 File(s) 224 bytes
2 Dir(s) 24,054,104,064 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

10/06/2002 10:56 PM 32 {FED696E2-3823-416B-94CF-D77874507BD3}.dat
10/06/2002 10:55 PM 32 {7264EB17-6BC2-4F06-BCD7-7A75A39A022A}.dat
10/06/2002 10:54 PM 32 {C97DEF23-129F-4F7B-B32D-199F7A961474}.dat
10/06/2002 10:53 PM 32 {76CAC5F8-E47C-4672-A774-B0A3196F2EB3}.dat
10/06/2002 10:53 PM 32 {A29C21BC-06A3-489E-8C2D-765F0582B4DB}.dat
10/06/2002 10:53 PM 32 {7F9301F8-5639-4497-8BBE-7D2EFC648EDD}.dat
10/06/2002 10:52 PM 32 {9A0755DF-A8D9-4DE8-A903-13BA98DC86CE}.dat
09/29/2002 09:04 PM 488 logonui.exe.manifest
09/29/2002 09:04 PM 488 WindowsLogon.manifest
09/29/2002 09:03 PM 749 nwc.cpl.manifest
09/29/2002 09:03 PM 749 sapi.cpl.manifest
09/29/2002 09:03 PM 749 wuaucpl.cpl.manifest
09/29/2002 09:03 PM 749 cdplayer.exe.manifest
09/29/2002 09:03 PM 749 ncpa.cpl.manifest
09/29/2002 08:48 PM <DIR> dllcache
09/29/2002 08:29 PM 12,746 folder.htt
15 File(s) 17,691 bytes
1 Dir(s) 24,054,071,296 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is DISK1PART01
Volume Serial Number is 3D97-885D

Directory of C:\WINDOWS\System32

03/24/2003 03:18 PM 483,328 SETD.tmp
02/24/2003 01:32 PM 1,339,904 SETB.tmp
08/29/2002 07:14 AM 166,160 urlmon.dll.tmp
08/23/2001 12:00 PM 2,577 CONFIG.TMP
4 File(s) 1,991,969 bytes
0 Dir(s) 24,054,005,760 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{47E64464-42BE-4A70-95E3-44BB5EFC99E5}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jt4o07h3e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------





->>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hijack This
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Logfile of HijackThis v1.98.2
Scan saved at 10:17:16 PM, on 12/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://http//www.yahoo.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

#8 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:04 AM

Posted 13 December 2004 - 08:21 PM

Please download and run Silent Runners.vbs: http://www.silentrunners.org/

If you have a script blocking program you will get a warning asking if you want to allow Silent Runners.vbs to run. Allow the script to run.

Post the log please and a new hijackthis log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#9 Rockhead

Rockhead
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 13 December 2004 - 10:51 PM

RAW - THANK YOU for all your time and effort, here is the updated information:

1. LSP Fix shows:
mswsock.dll TCPIP
winrnr.dll NTDS
rsvpsp.dll (Protocol Handler)

2. Silent Runners Log

"Silent Runners.vbs", revision 28, launched at: 22:45
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WinTools" = "C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"WinTools" = "C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{87766247-311C-43B4-8499-3D5FEC94A183}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{568804CA-CBD7-11d0-9816-00C04FD91972}" = "Menu Shell Folder"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\SYSTEM32\SHDOCVW.DLL" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Shell Menu DeskBar"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Shell Menu BandSite"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 DragDrop Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Context Menu Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.2 Property Sheet Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{F83E4B73-C1D5-44EF-9B75-3837F42BF7CB}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dacprop.dll" [file not found]
"{71035DB4-D087-4E81-AF28-E27A3F0A4B03}" = ""
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\guard.tmp" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Nls\DLLName" = "C:\WINDOWS\system32\jt4o07h3e.dll" [file not found]
INFECTION WARNING! "Setup\DLLName" = "(no data)" [file not found]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]
"Uninstall Expiration Reminder" -> launches: "C:\WINDOWS\System32\OOBE\oobebaln.exe /sys /u /n:1" [MS]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~3\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Spybot - Search & Destroy - Scheduled Task" -> launches: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "C:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "C:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "C:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, ""C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"" ["Symantec Corporation"]
Security Center, wscsvc, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"]
WinTools for IE service, WinToolsSvc, "C:\Program Files\Common Files\WinTools\WToolsS.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

3. Hijack this Log

Logfile of HijackThis v1.98.2
Scan saved at 10:51:15 PM, on 12/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

#10 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:04 AM

Posted 13 December 2004 - 11:46 PM

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: About:Buster Download. Once it is downloaded extract it to
c:\aboutbuster. We will use that program later in this process.

Disconnect from the internet

Reboot your computer into Safe Mode and follow these steps:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

WToolsA.exe
WToolsS.exe
WSup.exe


Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boo


I now need you to delete the following files:

C:\PROGRA~1\COMMON~1\WinTools <-This Folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.



Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Nls]


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.



This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.


Reboot your computer back to normal mode and post a new log.

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#11 Rockhead

Rockhead
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 14 December 2004 - 10:47 PM

RAW, thanks again for all the help - here's the updated log:

Logfile of HijackThis v1.98.2
Scan saved at 10:37:49 PM, on 12/14/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

#12 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:02:04 AM

Posted 15 December 2004 - 02:15 PM

Although its not a complete log it should be clean :thumbsup:
No unusual 04 lines?
Browsing and computer back to normal?

rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#13 Rockhead

Rockhead
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:04 AM

Posted 15 December 2004 - 10:17 PM

RAW, here's the complete file (I may have terminated a few too many items in Hijack This due to frustration)...but all appears normal. Your help was invaluable.

Logfile of HijackThis v1.98.2
Scan saved at 10:14:46 PM, on 12/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\KaZaA Lite\KazaaLite.kpp
C:\HJT\HijackThis.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users