Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - touse


  • Please log in to reply
105 replies to this topic

#31 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 28 December 2004 - 07:28 PM

I am sorry..the link should have been http://www.bleepingcomputer.com/files/killbox.php

BC AdBot (Login to Remove)

 


#32 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 28 December 2004 - 09:03 PM

I executed your instructions, Grinler, but it looks like I might've done sth wrong.

After clicking Yes to the pending operations prompt I recieved the (usual) message: "PendingFileRenameOperations Registry Data has been Removed by External Process". I clicked OK (the only option offered). again, the computer didn't reboot automatically: I had to close the Killbox by clicking the X and restart the computer manually.

I made the internet connection. Then I ran find.bat. After about 10 minutes I got the message:

"Winnlog.EXE has generated errors and will be closed down by windows. You will need to restart the program. An error log is being created."

Upon which the computer shut down and rebooted automatically. I ran Find.bat again - this time before making the internet connection.

To sum up things: the computer was restarted twice, which goes against your instructions: "Do not reboot more than once as the Guard.tmp will probably recreate on reboot". I guess I should not have made the internet connection prior to starting Find.bat. Mea culpa. :thumbsup:


Here's the Find.bat output.txt of the second attempt:


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\BESTfindbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

29/12/2004 02:14 223.125 spcsdk32.dll
29/12/2004 02:14 224.409 m482lelo1hqc.dll
29/12/2004 02:01 223.125 sssbkup.dll
29/12/2004 01:58 224.972 mv64l9jq1.dll
28/12/2004 18:55 224.972 krdic.dll
28/12/2004 18:55 223.125 irl8l53u1.dll
26/12/2004 22:56 225.896 bpowseui.dll
24/12/2004 22:13 225.759 shmmon.dll
24/12/2004 00:14 224.972 pfxdll.dll
22/12/2004 22:54 224.972 msiavi32.dll
21/12/2004 23:17 223.232 mvpml9711.dll
20/12/2004 17:48 223.232 cobuireg.dll
17/12/2004 08:43 223.232 ruuteext.dll
16/12/2004 15:19 224.539 n82u0if9e82.dll
16/12/2004 15:19 223.389 jtnm0751e.dll
16/12/2004 08:49 223.232 stbrsrc.dll
16/12/2004 08:04 223.232 ktjql7151.dll
14/11/2004 23:24 <DIR> dllcache
17 File(s) 3.809.415 bytes
1 Dir(s) 1.739.880.448 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

29/12/2004 02:16 24.059 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 46.022 bytes
2 Dir(s) 1.739.888.128 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

06/12/1999 14:00 2.577 CONFIG.TMP
1 File(s) 2.577 bytes
0 Dir(s) 1.739.884.032 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irl8l53u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




The nasties are still there, aren't they? Should I re-executed your instructions?


touse

#33 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 29 December 2004 - 11:06 AM

Lets dothis a little differently this time.

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Standard File Kill option and put a checkmark in the End Explorer shell while killing file checkbox if it is not checked. Make sure the End Explorer shell while killing file checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    c:\windows\system32\spcsdk32.dll
  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Backup and Replaceprompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

c:\windows\system32\m482lelo1hqc.dll
c:\windows\system32\sssbkup.dll
c:\windows\system32\mv64l9jq1.dll
c:\windows\system32\krdic.dll
c:\windows\system32\irl8l53u1.dll
c:\windows\system32\bpowseui.dll
c:\windows\system32\shmmon.dll
c:\windows\system32\pfxdll.dll
c:\windows\system32\msiavi32.dll
c:\windows\system32\mvpml9711.dll
c:\windows\system32\cobuireg.dll
c:\windows\system32\ruuteext.dll
c:\windows\system32\n82u0if9e82.dll
c:\windows\system32\jtnm0751e.dll
c:\windows\system32\stbrsrc.dll
c:\windows\system32\ktjql7151.dll
C:\WINDOWS\System32\Guard.tmp

If a file fails to delete, please write down that file name

Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#34 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 29 December 2004 - 02:19 PM

The killbox link didn't work, Grinler. I used the link you posted above.

None of the files "deleted" since none of them seem to "exist". After clicking the Killbox delete sign, I got the following message for each and every file I pasted into the box :"File error. This file does not seem to exist." You get one option, namely to click OK, which I then did. When I checked the properties of the files in the killbox the following message appeared for each file: "Cannot find the file"c:\filename" (or one of its components). Make sure the path and filename are correct and that all required libraries are available."

The new Find.bat Output.txt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\BESTfindbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

29/12/2004 02:14 223.125 spcsdk32.dll
29/12/2004 02:14 224.409 m482lelo1hqc.dll
29/12/2004 01:58 224.972 mv64l9jq1.dll
28/12/2004 18:55 224.972 krdic.dll
28/12/2004 18:55 223.125 irl8l53u1.dll
26/12/2004 22:56 225.896 bpowseui.dll
24/12/2004 22:13 225.759 shmmon.dll
24/12/2004 00:14 224.972 pfxdll.dll
22/12/2004 22:54 224.972 msiavi32.dll
21/12/2004 23:17 223.232 mvpml9711.dll
20/12/2004 17:48 223.232 cobuireg.dll
17/12/2004 08:43 223.232 ruuteext.dll
16/12/2004 15:19 224.539 n82u0if9e82.dll
16/12/2004 15:19 223.389 jtnm0751e.dll
16/12/2004 08:49 223.232 stbrsrc.dll
16/12/2004 08:04 223.232 ktjql7151.dll
14/11/2004 23:24 <DIR> dllcache
16 File(s) 3.586.290 bytes
1 Dir(s) 1.706.668.032 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

29/12/2004 02:16 24.059 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 46.022 bytes
2 Dir(s) 1.706.675.712 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32


--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

06/12/1999 14:00 2.577 CONFIG.TMP
1 File(s) 2.577 bytes
0 Dir(s) 1.706.671.616 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irl8l53u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




This is turning out to be one smart, elusive piece of malware, isn't it? As far as I understand it either fools the computer into thinking these files don't exist -- using a Klingon Cloaking Device? :thumbsup: -- or it creates ("hides" in?) a different file after every reboot - the current file somehow eluding detection, while the old file is being cast of as an empty shell, all these empty shells gradually eating up memory.

A thought - and I guess a very naive one at that - but you remember I mentioned in my first post that a lot of ads get redirected to our pc through this http://c.azjmp.com. Would it help if I were to have a look at that site, maybe trying to find some uninstallation instructions (not that there would be any). Or is that about the stupidest thing I could do, as in downloading more nasties garantueed.

Another thought, files prevented from being deleted could that have something to do with passwords. I know some parts of the computer are only accessible via (adminstrator) passwords?


touse

PS. Me: :inlove: --> :) --> :flowers: --> :trumpet: --> :idea: --> :cool: --> :bike: --> ??

#35 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 30 December 2004 - 11:16 AM

Every time you reboot these files are changing which could be what the problem is. Please post a brand new findit log and DO NOT reboot your computer or log off your computer until you hear back from me.

#36 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 30 December 2004 - 04:41 PM

The internet connection was dropped again, so, I had to log off and log back on again to reconnect. After that I ran Find.bat.

PS. Yesterday, in an attempt to curb the flood of advertisements, I added some http://c.azjmp.com and some of the ads' URLs to the list of restricted internet sites. It had some effect in that, since then, I haven't seen any of the ads that are usually direct to our pc through c.azjmp. Instead a white screen appears with the c.azjmp URL.

Here's the new find.bat output.txt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\BESTfindbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 21:56 223.125 guard.tmp
29/12/2004 02:14 224.409 m482lelo1hqc.dll
29/12/2004 01:58 224.972 mv64l9jq1.dll
28/12/2004 18:55 224.972 krdic.dll
28/12/2004 18:55 223.125 irl8l53u1.dll
26/12/2004 22:56 225.896 bpowseui.dll
24/12/2004 22:13 225.759 shmmon.dll
24/12/2004 00:14 224.972 pfxdll.dll
22/12/2004 22:54 224.972 msiavi32.dll
21/12/2004 23:17 223.232 mvpml9711.dll
20/12/2004 17:48 223.232 cobuireg.dll
17/12/2004 08:43 223.232 ruuteext.dll
16/12/2004 15:19 224.539 n82u0if9e82.dll
16/12/2004 15:19 223.389 jtnm0751e.dll
16/12/2004 08:49 223.232 stbrsrc.dll
16/12/2004 08:04 223.232 ktjql7151.dll
14/11/2004 23:24 <DIR> dllcache
16 File(s) 3.586.290 bytes
1 Dir(s) 1.736.671.744 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 21:57 24.102 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 46.065 bytes
2 Dir(s) 1.736.679.424 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 21:56 223.125 guard.tmp
1 File(s) 223.125 bytes
0 Dir(s) 1.736.679.424 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 21:56 223.125 guard.tmp
06/12/1999 14:00 2.577 CONFIG.TMP
2 File(s) 225.702 bytes
0 Dir(s) 1.736.675.328 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\irl8l53u1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




touse

#37 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 30 December 2004 - 05:12 PM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.

    c:\winnt\system32\m482lelo1hqc.dll

  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

c:\winnt\system32\mv64l9jq1.dll
c:\winnt\system32\krdic.dll
c:\winnt\system32\irl8l53u1.dll
c:\winnt\system32\bpowseui.dll
c:\winnt\system32\c:\winnt\system32\shmmon.dll
c:\winnt\system32\pfxdll.dll
c:\winnt\system32\msiavi32.dll
c:\winnt\system32\mvpml9711.dll
c:\winnt\system32\cobuireg.dll
c:\winnt\system32\ruuteext.dll
c:\winnt\system32\n82u0if9e82.dll
c:\winnt\system32\jtnm0751e.dll
c:\winnt\system32\stbrsrc.dll
c:\winnt\system32\ktjql7151.dll
C:\winnt\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#38 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 30 December 2004 - 06:35 PM

Oh my, what do I spy with my little eye: NO MORE DREADED FILES!!

What did we do different this time? The computer rebooted by itself (!) after I clicked Yes to the killbox reboot prompt! I don't know if this is significant but before I clicked YES to the reboot prompt I made sure that Killbox was the only window open on my desktop, whereas before I sometimes still had the registry open (from which I opend kilbox.exe, or even a browser window).

I imagine there's still a lot of cleanig to do. But getting a result after trying for days, is EXCITING. I'd say, Kill those beasts!

Here's the new Find.bat output.txt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\BESTfindbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

14/11/2004 23:24 <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 1.744.847.360 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 23:51 24.145 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 46.108 bytes
2 Dir(s) 1.744.847.360 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 23:45 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 1.744.847.360 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 23:45 56 Guard.tmp
06/12/1999 14:00 2.577 CONFIG.TMP
2 File(s) 2.633 bytes
0 Dir(s) 1.744.843.264 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\m482lelo1hqc.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Thank you, Grinler!

touse :thumbsup:

#39 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 01 January 2005 - 07:43 PM

The internet connection was dropped again. I had to reboot to restore it. since this could have an effect on the find.bat log here's a new one -- still looks good, doesn't it?:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\BESTfindbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

14/11/2004 23:24 <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 1.718.061.056 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

02/01/2005 00:19 24.188 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 46.151 bytes
2 Dir(s) 1.718.061.056 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 23:45 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 1.718.061.056 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 23:45 56 Guard.tmp
06/12/1999 14:00 2.577 CONFIG.TMP
2 File(s) 2.633 bytes
0 Dir(s) 1.718.056.960 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\m482lelo1hqc.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#40 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 01 January 2005 - 08:05 PM

Lets just say I am an idiot. For some reason I never realized you were running Windows 2000 and was typing in c:\windows instead of c:\winnt for deleting those files!!



Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter c:\windows\system32\guard.tmp into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

Step 1:

Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.

[QUOTE]REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{09885751-33EE-4FC5-9FEA-4A406B194A89}"=-

Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.


Step 2:


Repair the Recycle bin:
Click Start, Run and type cmd. Press OK.

A DOS window will open.

Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Close the window and REBOOT.

Check if the Recycle Bin is OK. Please report back.


Step 3:


Download VX2Finder from this link:

http://www.downloads.subratam.org/VX2Finder.exe

Run Vx2Finder and click on the Restore Policy button.


Step 4:


Post another find.bat log along with a new hijackthis log.

#41 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 01 January 2005 - 09:23 PM

I executed steps 1 and 2.

Step 1: I don't know if the Killbox fix worked. I again received the message "PendingFileRenameOperations Registry Data has been Removed by External Process ", the computer didn't reboot automatically and I had to close the Killbox by clicking the X and reboot manually.

Step 2: The Recycle Bin seems ok. I deleted some superfluous items from the registry to test it and encountered no problem. Maybe one thing, when pressing the Empty the recycle bin button it took a little while longer for the bin to be emptied and its entries to dissapear than it used to.

Now, I'm off to perform steps 3 and 4.


touse


PS Happy New Year, Grinler.

#42 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 01 January 2005 - 10:10 PM

I executed steps 3 and 4:

Step 3: After clicking the Restore Policy button a small window popped up: "Adminsitration Policy. Windows rebooted to complete the repair". I clicked OK and the computer rebooted.

Step 4: Here's the new Find.bat output.txt:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\BESTfindbat\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

14/11/2004 23:24 <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 1.716.523.008 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

02/01/2005 03:35 24.317 Ffastlog.txt
14/11/2004 23:24 <DIR> dllcache
18/10/2002 12:41 <DIR> GroupPolicy
18/10/2002 12:29 21.692 folder.htt
18/10/2002 12:29 271 desktop.ini
3 File(s) 46.280 bytes
2 Dir(s) 1.716.523.008 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 23:45 56 Guard.tmp
1 File(s) 56 bytes
0 Dir(s) 1.716.523.008 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is disk c
Volume Serial Number is 50B4-840A

Directory of C:\WINNT\System32

30/12/2004 23:45 56 Guard.tmp
06/12/1999 14:00 2.577 CONFIG.TMP
2 File(s) 2.633 bytes
0 Dir(s) 1.716.518.912 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------------ Locate.com Results ------------------

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\CwbSvStr.Exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"SetProxyAS2"="D:\\AnetLP\\Assurnet\\CeWeb\\RunREgOn.exe -f D:\\AnetLP\\Assurnet\\CeWeb\\ProxyPar.txt"
"F-Secure Manager"="\"D:\\AnetLP\\assurnet\\fsav\\Common\\FSM32.EXE\" /splash"
"startAS2"="D:\\AnetLP\\assurnet\\esd\\esdrun.exe D:\\AnetLP\\assurnet\\esd\\startas2.dws"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




And the new HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 04:04:12, on 02/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\FSGK32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fssm32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
D:\AnetLP\assurnet\fsav\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
D:\AnetLP\assurnet\fsav\Common\FSMB32.EXE
D:\AnetLP\assurnet\fsav\Common\FCH32.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
D:\AnetLP\assurnet\fsav\Common\FAMEH32.EXE
D:\AnetLP\AnetLC\Assurnet\Apicom\AsDaemon.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
D:\AnetLP\assurnet\fsav\Common\FIH32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fsav32.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ben.portima/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PORTIMA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.79.87.140:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = learningacademy.*;*.portima;www.ben.portima;*.assurnet;127.0.*;192.168.1.1;<local>
O1 - Hosts: 172.31.0.104 HASPROPAD99 #PRE
O1 - Hosts: 172.31.0.72 MAILANET1 #PRE
O1 - Hosts: 172.31.0.73 MAILANET2 #PRE
O1 - Hosts: 172.31.0.74 MAILANET3 #PRE
O1 - Hosts: 172.31.0.80 ESDANET1 #PRE
O1 - Hosts: 172.31.0.81 ESDANET2 #PRE
O1 - Hosts: 172.31.0.82 ESDANET3 #PRE
O1 - Hosts: 172.31.0.146 HASPROTAR01 #PRE
O1 - Hosts: 172.31.0.121 HTSASWAN1 #PRE
O1 - Hosts: 172.31.243.198 RB_TEMPO
O1 - Hosts: 212.79.87.30 HASPROCES01
O1 - Hosts: 212.79.87.30 pop.portima.be
O1 - Hosts: 212.79.87.30 smtp.portima.be
O1 - Hosts: 212.79.84.49 HASPROPAR04 #PRE
O1 - Hosts: 212.79.84.50 HASPROPAR03 #PRE
O1 - Hosts: 212.79.87.30 mail.portima.be
O1 - Hosts: 212.79.87.140 HASPROXY
O1 - Hosts: 212.79.84.39 learningacademy.portima.be
O1 - Hosts: 212.79.84.157 PcaHelper
O1 - Hosts: 212.79.84.46 fsecure.portima.be
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SetProxyAS2] D:\AnetLP\Assurnet\CeWeb\RunREgOn.exe -f D:\AnetLP\Assurnet\CeWeb\ProxyPar.txt
O4 - HKLM\..\Run: [F-Secure Manager] "D:\AnetLP\assurnet\fsav\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [startAS2] D:\AnetLP\assurnet\esd\esdrun.exe D:\AnetLP\assurnet\esd\startas2.dws
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CiscoConfigurator.lnk = D:\AnetLP\Assurnet\CiscoCfr\CiscoConfigurator.exe
O4 - Global Startup: Esd Check.lnk = D:\AnetLP\Assurnet\ESD\EsdCheck.exe
O4 - Global Startup: Logon Assurnet.lnk = D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Maxie\Office\OSA9.EXE
O4 - Global Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O15 - Trusted Zone: http://www.agf.assurnet
O15 - Trusted Zone: http://www.agf2.assurnet
O15 - Trusted Zone: http://www.prolinknet.assurnet
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...429d2d2b4e511ef
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.olboap.fortisag.assurnet/ActiveX/smsx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12b7b98998357127aa20/...ip/RdxIE601.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://159.171.108.5/activex/AxisCamControl.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.dll
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://asp02.photoprintit.de/microsite/5/d...vex/XUpload.ocx
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Client Access Express, Opdracht op afstand - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent - F-Secure Corporation. All Rights Reserved. - D:\AnetLP\assurnet\fsav\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


touse

#43 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 01 January 2005 - 11:45 PM

Print out these instructions and then close all windows including Internet Explorer.

Reboot your computer into Safe Mode


Delete the file c:\windows\system32\guard.tmp

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...429d2d2b4e511ef
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12b7b98998357127aa20/...ip/RdxIE601.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.dll
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggerne...oaderSigned.cab


Then delete these files or directories (Do not be concerned if they do not exist)


C:\Program Files\VBouncer\
C:\Program Files\Forbes\

Reboot your computer to go back to normal mode and post a new log.

#44 touse

touse
  • Topic Starter

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 02 January 2005 - 01:16 AM

The first file I had to delete ... I figured windows was a typo, so I deleted c:\WINNT\system32\guard.tmp instead.


Here's the new HijackThis log:

Logfile of HijackThis v1.99.0
Scan saved at 07:10:11, on 02/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
D:\AnetLP\assurnet\fsav\Anti-Virus\FSGK32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fssm32.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
D:\AnetLP\assurnet\fsav\Common\FSMB32.EXE
D:\AnetLP\assurnet\fsav\Common\FCH32.EXE
D:\AnetLP\assurnet\fsav\Common\FAMEH32.EXE
D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
D:\AnetLP\assurnet\fsav\Common\FIH32.EXE
D:\AnetLP\assurnet\fsav\Anti-Virus\fsav32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
D:\AnetLP\assurnet\fsav\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
D:\AnetLP\AnetLC\Assurnet\Apicom\AsDaemon.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ben.portima/index.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PORTIMA
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 212.79.87.140:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = learningacademy.*;*.portima;www.ben.portima;*.assurnet;127.0.*;192.168.1.1;<local>
O1 - Hosts: 172.31.0.104 HASPROPAD99 #PRE
O1 - Hosts: 172.31.0.72 MAILANET1 #PRE
O1 - Hosts: 172.31.0.73 MAILANET2 #PRE
O1 - Hosts: 172.31.0.74 MAILANET3 #PRE
O1 - Hosts: 172.31.0.80 ESDANET1 #PRE
O1 - Hosts: 172.31.0.81 ESDANET2 #PRE
O1 - Hosts: 172.31.0.82 ESDANET3 #PRE
O1 - Hosts: 172.31.0.146 HASPROTAR01 #PRE
O1 - Hosts: 172.31.0.121 HTSASWAN1 #PRE
O1 - Hosts: 172.31.243.198 RB_TEMPO
O1 - Hosts: 212.79.87.30 HASPROCES01
O1 - Hosts: 212.79.87.30 pop.portima.be
O1 - Hosts: 212.79.87.30 smtp.portima.be
O1 - Hosts: 212.79.84.49 HASPROPAR04 #PRE
O1 - Hosts: 212.79.84.50 HASPROPAR03 #PRE
O1 - Hosts: 212.79.87.30 mail.portima.be
O1 - Hosts: 212.79.87.140 HASPROXY
O1 - Hosts: 212.79.84.39 learningacademy.portima.be
O1 - Hosts: 212.79.84.157 PcaHelper
O1 - Hosts: 212.79.84.46 fsecure.portima.be
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [SetProxyAS2] D:\AnetLP\Assurnet\CeWeb\RunREgOn.exe -f D:\AnetLP\Assurnet\CeWeb\ProxyPar.txt
O4 - HKLM\..\Run: [F-Secure Manager] "D:\AnetLP\assurnet\fsav\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [startAS2] D:\AnetLP\assurnet\esd\esdrun.exe D:\AnetLP\assurnet\esd\startas2.dws
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [System Soap Pro] C:\Program Files\System Soap Pro\soap.exe min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CiscoConfigurator.lnk = D:\AnetLP\Assurnet\CiscoCfr\CiscoConfigurator.exe
O4 - Global Startup: Esd Check.lnk = D:\AnetLP\Assurnet\ESD\EsdCheck.exe
O4 - Global Startup: Logon Assurnet.lnk = D:\AnetLP\AnetLC\Assurnet\APICOM\apicomLogon.exe
O4 - Global Startup: Microsoft Office Snelzoeken.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Werkbalk.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office Maxie\Office\OSA9.EXE
O4 - Global Startup: Office Opstarten.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O15 - Trusted Zone: http://www.agf.assurnet
O15 - Trusted Zone: http://www.agf2.assurnet
O15 - Trusted Zone: http://www.prolinknet.assurnet
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.olboap.fortisag.assurnet/ActiveX/smsx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdcco...ad/IbmEgath.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://159.171.108.5/activex/AxisCamControl.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://asp02.photoprintit.de/microsite/5/d...vex/XUpload.ocx
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab
O23 - Service: pcAnywhere Host Service - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Client Access Express, Opdracht op afstand - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - D:\AnetLP\assurnet\fsav\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent - F-Secure Corporation. All Rights Reserved. - D:\AnetLP\assurnet\fsav\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent - F-Secure Corporation - D:\AnetLP\assurnet\fsav\Common\FSMA32.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Unknown - C:\Program Files\Iomega\Tools_NT\iomegaaccess.exe (file missing)
O23 - Service: PPPoE Service - Unknown - C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe


touse :thumbsup:

#45 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,666 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:42 PM

Posted 02 January 2005 - 06:20 PM

The first file I had to delete ... I figured windows was a typo, so I deleted c:\WINNT\system32\guard.tmp instead.

:thumbsup: Still not learning from my mistakes!

Log looks clean...great job!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Commercial Spyware Removal/Protection Programs - If you feel more comfortable installing a commercial Spyware removal program then we recommend WebRoot's Spysweeper or Lavasoft's Ad-Aware Professional. There are many commercial products on the market, but unfortunately most are misleading and substandard. Both of the products we recommend here are proven to be excellent products and a worthy addition to the arsenal of software protecting your computer.

    Spysweeper Product Information
    Ad-Aware Pro Production Information


  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users