Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HJL -cwyman

  • Please log in to reply
1 reply to this topic

#1 cwyman


  • Members
  • 14 posts
  • Local time:07:53 PM

Posted 05 January 2005 - 09:34 AM

Hello, I know this user that I'm working with has the Umonitor infection. Here's the Find-it log and then the Hijack log.

Find-it Log

------- System Files in System32 Directory -------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\Raelynn\Desktop\for the virus stuff

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is A0A2-A5FF

Directory of C:\WINDOWS\System32

01/04/2005 03:11 PM 224,957 lvpu0979e.dll
01/04/2005 09:17 AM 225,401 enj6l11s1.dll
12/31/2004 02:02 PM 223,023 nyrssv.dll
12/31/2004 10:40 AM 223,931 uchisapi.dll
12/30/2004 03:29 PM 224,719 hr0205doe.dll
12/15/2004 07:59 AM <DIR> dllcache
12/27/2002 11:54 AM <DIR> Microsoft
5 File(s) 1,122,031 bytes
2 Dir(s) 29,394,673,664 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is A0A2-A5FF

Directory of C:\WINDOWS\System32

01/03/2005 10:19 AM <DIR> vmss
01/03/2005 10:19 AM <DIR> wsxsvc
12/15/2004 07:59 AM <DIR> dllcache
06/04/2002 12:59 PM 488 WindowsLogon.manifest
06/04/2002 12:59 PM 488 logonui.exe.manifest
06/04/2002 12:59 PM 749 nwc.cpl.manifest
06/04/2002 12:59 PM 749 ncpa.cpl.manifest
06/04/2002 12:59 PM 749 cdplayer.exe.manifest
06/04/2002 12:59 PM 749 sapi.cpl.manifest
06/04/2002 12:59 PM 749 wuaucpl.cpl.manifest
12/07/2001 07:49 PM 182,077 R_DK_PCL5E_600.csv
12/07/2001 07:49 PM 181,988 R_HK_PCL5E_600.csv
12/03/2001 03:11 PM 30,756 R_HK_RPCS_ALL.csv
12/03/2001 03:11 PM 30,782 R_DK_RPCS_ALL.csv
11/28/2001 04:13 PM 1,346 R_HK_RPDL_1200.csv
11/28/2001 04:13 PM 16,602 R_HK_RPDL_600.csv
11/28/2001 04:13 PM 16,600 R_DK_RPDL_600.csv
11/28/2001 04:13 PM 1,346 R_DK_RPDL_1200.csv
11/22/2001 02:39 PM 14,433 R_DK_RPDL_400.csv
11/22/2001 02:16 PM 3,155 R_DK_PCLXL_1200_11.csv
11/22/2001 02:16 PM 23,253 R_HK_PCL5E_300.csv
11/22/2001 02:16 PM 23,333 R_DK_PCL5E_300.csv
11/21/2001 04:32 PM 144,193 R_HK_PCLXL_600_11.csv
11/21/2001 04:31 PM 144,193 R_DK_PCLXL_600_11.csv
11/19/2001 02:31 PM 3,155 R_HK_PCLXL_1200_11.csv
11/19/2001 11:52 AM 14,428 R_HK_RPDL_400.csv
09/18/2001 01:40 PM 1,774 R_HK_IPDLC_ALL.csv
09/18/2001 01:40 PM 1,771 R_DK_IPDLC_ALL.csv
11/05/2000 08:57 PM 230 R_DHK_IPDLC_NOMEM.csv
26 File(s) 840,136 bytes
3 Dir(s) 29,394,673,664 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is A0A2-A5FF

Directory of C:\WINDOWS\System32

01/04/2005 03:46 PM 225,401 guard.tmp
1 File(s) 225,401 bytes
0 Dir(s) 29,394,673,664 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is A0A2-A5FF

Directory of C:\WINDOWS\System32

01/04/2005 03:46 PM 225,401 guard.tmp
10/02/2002 12:11 PM 180,800 sqlunirl.dll.tmp
02/13/2002 11:29 AM 270,608 odbcjt32.dll.tmp
02/13/2002 11:29 AM 53,520 odbcji32.dll.tmp
08/18/2001 05:00 AM 2,577 CONFIG.TMP
5 File(s) 732,906 bytes
0 Dir(s) 29,394,673,664 bytes free

---------------- User Agent ------------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

------------------ Locate.com Results ------------------

fpj203~1.dll Mon Jan 3 2005 4:45:06p ..S.R 225,401 220.12 K
hr0205~1.dll Thu Dec 30 2004 3:29:22p ..S.R 224,719 219.45 K
lv2809~1.dll Tue Jan 4 2005 9:06:44a ..S.R 224,957 219.68 K
nyrssv.dll Fri Dec 31 2004 2:02:40p ..S.R 223,023 217.79 K
uchisapi.dll Fri Dec 31 2004 10:40:20a ..S.R 223,931 218.68 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,122,031 bytes 1.07 M

------------ Strings.exe Qoologic Results ------------

enj6l1~1.dll Tue Jan 4 2005 9:17:24a ..S.R 225,401 220.12 K
hr0205~1.dll Thu Dec 30 2004 3:29:22p ..S.R 224,719 219.45 K
lvpu09~1.dll Tue Jan 4 2005 3:11:28p ..S.R 224,957 219.68 K
nyrssv.dll Fri Dec 31 2004 2:02:40p ..S.R 223,023 217.79 K
uchisapi.dll Fri Dec 31 2004 10:40:20a ..S.R 223,931 218.68 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,122,031 bytes 1.07 M

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------


"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"JobHisInit"="C:\\Program Files\\RMClient\\JobHisInit.exe"
"MplSetUp"="C:\\Program Files\\RMClient\\MplSetUp.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~1\\AdvTools\\ADVCHK.EXE"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"





Hijack Log

Logfile of HijackThis v1.99.0
Scan saved at 3:56:48 PM, on 01/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ILTCQUOTE\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Office Tracker 4.0\alarmer.exe
C:\Program Files\RMClient\PMClient.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oemji.com/side_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="https://esource.waddell.com/ICSLogin/?"https://esource.waddell.com/""]https://esource.waddell.com/ICSLogin/?"...dell.com/"[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oemji.com/side_search.html
O1 - Hosts: ieautosearch
O1 - Hosts: auto.search.msn.com
O1 - Hosts: search.netscape.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: BlackICE Utility.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Office Tracker Alarmer.lnk = C:\Program Files\Office Tracker 4.0\alarmer.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O4 - Global Startup: SQL Server.lnk = ?
O4 - Global Startup: strings.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {10FBA3CF-2264-416B-90E5-6F7B751C60B8} (Siebel Option Pack for IE 7.0.5) - https://core.waddell.com/fins/14314/applets...lOptionPack.cab
O16 - DPF: {253A9D23-F982-11D4-8BE4-00D0B7E61414} (SiebelHTMLApplication Class) - https://core.waddell.com/fins/14314/applets/siebelhtml.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/install/iftwclix.cab
O16 - DPF: {631F0C94-C02F-40AC-A31B-DDC39731FC81} (Siebel Option Pack for IE 7.0.4) - https://core.waddell.com/fins/14165/applets...lOptionPack.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://centra.waddell.com/SiteRoots/main/I...aDownloader.cab
O16 - DPF: {DBFF771D-3F92-4C70-9978-508738536F38} (CSConn Class) - https://core.waddell.com/fins/14314/applets/csagent.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Just kind of a background on what's been happinging

The user has ad-aware. She updates once a week and runs it daily
The user has black-ice for SWFW and Cisco router for HWFW
The user also has spysweeper loaded (although I believe it's the free version) and this is where she keeps getting two entries constantly
  • auto.search.msn.com
  • search.netscape.com
Of course we delete and a few seconds later we get the same warning from spysweeper.

I've ran killcwshredder and cwshredder and those of course state that there is no cwshredder present.

I then ran toolbarcop and disabled a couple of BHO items (I can't remember at the moment, but if you need me to get them, I can)

I then ran hijackthis and removed all of the ieautosearch entries and the two entries listed above along with a couple of invalid or empty filed BHO entries.

Then I rebooted and it was back to the same problems.

I'm sure there's some registry clean-up and file deletion that I'm overlooking judging from the postings that I've read, but because this so random, I thought I'd seek some more experienced people to help me out.

You help is already greatly appreciated.


Carrie :thumbsup: (Icy here in the mid-west!!)

BC AdBot (Login to Remove)


#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,665 posts
  • Gender:Male
  • Location:USA
  • Local time:07:53 PM

Posted 06 January 2005 - 11:48 PM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.


  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.


After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.

Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.

Step 2:

Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users