Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log - tiburon77


  • Please log in to reply
25 replies to this topic

#1 tiburon77

tiburon77

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 06 January 2005 - 04:46 PM

I'm just about on the verge of reformatting. I have AdAware Pro, Spybot S&D, and CWShredder. Nothing is working. AdAware and CWShredder both lockup when I try to scan. Spybot S&D finds problems and tries to fix them, but they just return when I reboot.

Ok, heres all the logs. I ran HJT, Find It, and Silent Runners.

Logfile of HijackThis v1.99.0
Scan saved at 3:40:03 PM, on 01/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files\Norton Utilities\NPROTECT.EXE
d:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\program files\Norton Utilities\SYSDOC32.EXE
D:\PROGRA~1\ICQ\ICQ.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [CloneCDTray] "h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Norton System Doctor.lnk = D:\program files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LicCtrl Service - Unknown - C:\WINDOWS\runservice.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - d:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - d:\Program Files\Speed Disk\nopdb.exe



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/06/2005 03:32 PM 1,289 mmf.sys
01/06/2005 03:32 PM 225,009 dq8vb.dll
01/06/2005 03:32 PM 225,688 lvp6097se.dll
12/22/2004 01:23 PM 389,120 l?gonui.exe
12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 10:37 PM <DIR> Microsoft
4 File(s) 841,106 bytes
2 Dir(s) 761,225,216 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/06/2005 03:32 PM 1,289 mmf.sys
01/06/2005 11:26 AM <DIR> vmss
01/06/2005 09:29 AM <DIR> wsxsvc
12/22/2004 01:23 PM 389,120 l?gonui.exe
12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 01:40 PM 488 WindowsLogon.manifest
05/05/2004 01:40 PM 488 logonui.exe.manifest
05/05/2004 01:39 PM 749 nwc.cpl.manifest
05/05/2004 01:39 PM 749 ncpa.cpl.manifest
05/05/2004 01:39 PM 749 sapi.cpl.manifest
05/05/2004 01:39 PM 749 cdplayer.exe.manifest
05/05/2004 01:39 PM 749 wuaucpl.cpl.manifest
9 File(s) 395,130 bytes
3 Dir(s) 761,221,120 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E1AD4C58-11E8-4A37-A95D-6F5844D8DAF3}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Group Policy]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\snlwid.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
dq8vb.dll Thu Jan 6 2005 3:32:18p ..S.R 225,009 219.73 K
lvp609~1.dll Thu Jan 6 2005 3:32:18p ..S.R 225,688 220.40 K
lgonui~1.exe Wed Dec 22 2004 1:23:16p ..SHR 389,120 380.00 K
mmf.sys Thu Jan 6 2005 3:32:28p A.SH. 1,289 1.26 K

4 items found: 4 files, 0 directories.
Total of file sizes: 841,106 bytes 821.39 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DAEMON Tools-1033"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"CloneCDTray"="\"h:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Mirabilis ICQ"="D:\\PROGRA~1\\ICQ\\ICQNet.exe"
"CSV10P70"="C:\\Program Files\\CSBB\\CSv10P070.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"







"Silent Runners.vbs", revision 29, launched at: 15:37
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"SpybotSD TeaTimer" = "d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"DAEMON Tools-1033" = ""D:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_RegCleaner" = "C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT" ["GRISOFT, s.r.o."]
"CloneCDTray" = ""h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" [file not found]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Mirabilis ICQ" = "D:\PROGRA~1\ICQ\ICQNet.exe" [null data]
"CSV10P70" = "C:\Program Files\CSBB\CSv10P070.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> CLSID InProcServer32 resolves to: "d:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\lcmmfu.cpl" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\aod\aodshext.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> CLSID InProcServer32 resolves to: "D:\program files\ICQ\ICQShExt.dll" ["ICQ"]
"{ACC9E969-30C5-4483-BC11-2016A17E3FE7}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dq8vb.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Group Policy\DLLName" = "C:\WINDOWS\system32\snlwid.dll" [null data]


Startup items in "Jon" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Broadband Networking" -> shortcut to: "C:\WINDOWS\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe" [null data]
"Norton System Doctor" -> shortcut to: "D:\program files\Norton Utilities\SYSDOC32.EXE /STARTUP" ["Symantec Corporation"]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
LicCtrl Service, LicCtrlService, "C:\WINDOWS\runservice.exe" [null data]
Norton Unerase Protection, NProtectService, "d:\Program Files\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "d:\Program Files\Speed Disk\nopdb.exe" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Edited by tiburon77, 06 January 2005 - 04:58 PM.


BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 06 January 2005 - 07:32 PM

Checking. :thumbsup:
patiently patrolling, plenty of persisant pests n' problems ...

#3 tiburon77

tiburon77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 07 January 2005 - 10:32 AM

Thanks, any idea what I should do?

#4 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 07 January 2005 - 02:07 PM

Yes, but first some questions, tiburon77

Reformat probably won't be necessary.
You have been hijacked.

Did you assign these to your trusted zone in IE?
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
They connect to a site in Russia if that helps you ID them.

Check in spybot S&D:
These options should only appear if your administrator set them on purpose or if you used Spybots Home Page and Option Lock down features
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Do you connect to the Internet using cable?
Are you experiencing any problems with Microsoft Broadband Networking in particular?
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?

It would help me to hear your comments on these questions.
We might be better able to get it all cleaned in one or two shots.
patiently patrolling, plenty of persisant pests n' problems ...

#5 tiburon77

tiburon77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 07 January 2005 - 04:55 PM

Hi

Ok to answer your questions first. NO, I did not put that IP address in trusted zone. Yes, I connect to the Internet with cable via a wireless device. NO, I checked S&D's options and Home Page lock is not selected.

I ran some new logs. AdAware finds nothing now, S&D finds several instances of CWS malware and some other things, CWShredder finds CWS.BootConf. I apply fix to all the problems and they all come back on reboot.

New logs......it appears the malware dll's and progs are changing names.




Logfile of HijackThis v1.99.0
Scan saved at 3:32:11 PM, on 01/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\runservice.exe
d:\Program Files\Norton Utilities\NPROTECT.EXE
d:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\system32\fxssvc.exe
D:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
D:\program files\Norton Utilities\SYSDOC32.EXE
D:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\MYIE2\MyIE.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [CloneCDTray] "h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "d:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Norton System Doctor.lnk = D:\program files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LicCtrl Service - Unknown - C:\WINDOWS\runservice.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - d:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - d:\Program Files\Speed Disk\nopdb.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)




Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/07/2005 12:58 PM 1,289 mmf.sys
01/07/2005 12:58 PM 225,778 czbcatex.dll
01/07/2005 12:58 PM 222,595 q4ps0e77eh.dll
01/07/2005 12:08 PM 225,778 ir2ol5f31.dll
01/06/2005 03:32 PM 225,688 lvp6097se.dll
12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 10:37 PM <DIR> Microsoft
5 File(s) 901,128 bytes
2 Dir(s) 1,487,728,640 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/07/2005 12:58 PM 1,289 mmf.sys
12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 01:40 PM 488 logonui.exe.manifest
05/05/2004 01:40 PM 488 WindowsLogon.manifest
05/05/2004 01:39 PM 749 nwc.cpl.manifest
05/05/2004 01:39 PM 749 sapi.cpl.manifest
05/05/2004 01:39 PM 749 ncpa.cpl.manifest
05/05/2004 01:39 PM 749 cdplayer.exe.manifest
05/05/2004 01:39 PM 749 wuaucpl.cpl.manifest
8 File(s) 6,010 bytes
1 Dir(s) 1,487,728,640 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{93DC3B59-E2FF-4596-8E10-F19BA099E928}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ir2ol5f31.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
czbcatex.dll Fri Jan 7 2005 12:58:24p ..S.R 225,778 220.48 K
ir2ol5~1.dll Fri Jan 7 2005 12:08:30p ..S.R 225,778 220.48 K
lvp609~1.dll Thu Jan 6 2005 3:32:18p ..S.R 225,688 220.40 K
mmf.sys Fri Jan 7 2005 12:58:48p A.SH. 1,289 1.26 K
q4ps0e~1.dll Fri Jan 7 2005 12:58:24p ..S.R 222,595 217.38 K

5 items found: 5 files, 0 directories.
Total of file sizes: 901,128 bytes 880.01 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pav.sig: Qoologic

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\pav.sig: AsPack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"DAEMON Tools-1033"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Mirabilis ICQ"="D:\\PROGRA~1\\ICQ\\ICQNet.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




"Silent Runners.vbs", revision 29, launched at: 15:36
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"SpybotSD TeaTimer" = "d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Spyware Doctor" = ""d:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"DAEMON Tools-1033" = ""D:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_RegCleaner" = "C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT" ["GRISOFT, s.r.o."]
"CloneCDTray" = ""h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" [file not found]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Mirabilis ICQ" = "D:\PROGRA~1\ICQ\ICQNet.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> CLSID InProcServer32 resolves to: "d:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\lcmmfu.cpl" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\aod\aodshext.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> CLSID InProcServer32 resolves to: "D:\program files\ICQ\ICQShExt.dll" ["ICQ"]
"{ACC9E969-30C5-4483-BC11-2016A17E3FE7}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\czbcatex.dll" [null data]
"{E78444FD-00AB-460D-A229-A4BCD8BF3ABD}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nftmsg.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "ShellServiceObjectDelayLoad\DLLName" = "C:\WINDOWS\system32\ir2ol5f31.dll" [null data]


Startup items in "Jon" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Broadband Networking" -> shortcut to: "C:\WINDOWS\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe" [null data]
"Norton System Doctor" -> shortcut to: "D:\program files\Norton Utilities\SYSDOC32.EXE /STARTUP" ["Symantec Corporation"]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS]
LicCtrl Service, LicCtrlService, "C:\WINDOWS\runservice.exe" [null data]
Norton Unerase Protection, NProtectService, "d:\Program Files\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "d:\Program Files\Speed Disk\nopdb.exe" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 07 January 2005 - 05:07 PM

OK, fair enough. the recommendations will be based on that.
And the new log.
Please exercise patience.
Lotta info in your posts. :thumbsup:

When files change on reboot, thats a dead give-away.
Do not reboot now that we have a log we both can refer to.

That'll simplify matters.

I will not hurt the computer to just leave it on.

Edited by phawgg, 07 January 2005 - 05:10 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 10 January 2005 - 12:59 AM

tiburon,
I hope you didn't think I'd never reply.
My apologies.
This is what we are up against:
The new vx2 installs a bunch of dll files that rename themselves,
a file called c:\windows\system32\guard.tmp, that protects these files,
changes the UserAgent reg key to a clsid,
breaks the recycle bin, and adds a startup key in the Winlogin\Notify registry section.
It also somtimes is found with a infection called qoologic.

It has been found with another infection.

You have supplied logs that are appropriate to the problem.
It has taken me time to determine based on them what needs to be done.

In that time, I am uncertain if the facts remain the same.
In all fairness to you, if you have not re-formatted, then the best plan of attack
will be to start fresh with this recommendation.
I realize it duplicates your previous posts.
It will help, though, if the files have changed.

(I am now prepared to give specific directions once I receive it):

Download the following file:

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip

and unzip the contents to a folder.  When it has unzipped, open that folder and double click on Find.bat.
It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

You should follow it up with a new HJT log, too.

Thank you.
patiently patrolling, plenty of persisant pests n' problems ...

#8 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 10 January 2005 - 01:30 AM

It is likely going to be several posts to completion. I'm on the Pacific Coast. It's 10:30 pm here. What's you time zone/hours?
patiently patrolling, plenty of persisant pests n' problems ...

#9 tiburon77

tiburon77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 10 January 2005 - 02:08 AM

Hi

Central Time zone here. I haven't reformatted yet but it probably would have saved alot of aggravation if I had. :thumbsup: I just ran a HJT log. I already had FindIt, I posted a FindIt log with my first post. It showed the the qoologic files and guard.tmp.

AdAware, S&D, and Spware Doctor are all showing me fairly clean. S&D comes up with some CWS stuff that it can't remove. CWShredder tries to remove them but they are still there.

Just about everything you said in your post describes my system now. Recycle bin is broken, startup keys under Notify, etc.

I ran a a prog called SilentRunners. I also ran it on my first post. You can see a few things have changed, as far as filenames, but you can tell where the malware is installing itself. I've tried to deletle those keys and restart, but they always come back. There is something I'm missing that is reinstalling it.

Here is all 3 new logs. I've highlighted the things that look suspicious to me.




Logfile of HijackThis v1.99.0
Scan saved at 12:43:30 AM, on 01/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
d:\Program Files\Norton Utilities\NPROTECT.EXE
d:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MYIE2\MyIE.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
D:\program files\D-Tools\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ntvdm.exe
h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
h:\Program Files\SlySoft\CloneCD\CloneCD.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CloneCDTray] "h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - d:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - d:\Program Files\Speed Disk\nopdb.exe



FindIt Log



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/08/2005 06:07 AM 222,784 dnj8011ue.dll
01/08/2005 05:59 AM 222,595 k480lelm1hqa.dll

01/08/2005 01:26 AM 12,800 Thumbs.db
01/08/2005 12:28 AM 222,784 lv8m09l1e.dll
12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 10:37 PM <DIR> Microsoft
4 File(s) 680,963 bytes
2 Dir(s) 1,480,466,432 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/08/2005 01:26 AM 12,800 Thumbs.db
12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 01:40 PM 488 logonui.exe.manifest
05/05/2004 01:40 PM 488 WindowsLogon.manifest
05/05/2004 01:39 PM 749 sapi.cpl.manifest
05/05/2004 01:39 PM 749 nwc.cpl.manifest
05/05/2004 01:39 PM 749 ncpa.cpl.manifest
05/05/2004 01:39 PM 749 cdplayer.exe.manifest
05/05/2004 01:39 PM 749 wuaucpl.cpl.manifest
8 File(s) 17,521 bytes
1 Dir(s) 1,480,462,336 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/09/2005 05:24 PM 222,784 guard.tmp 1 File(s) 222,784 bytes
0 Dir(s) 1,480,462,336 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/09/2005 05:24 PM 222,784 guard.tmp
1 File(s) 222,784 bytes
0 Dir(s) 1,480,462,336 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{93DC3B59-E2FF-4596-8E10-F19BA099E928}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv8m09l1e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
dnj801~1.dll Sat Jan 8 2005 6:07:18a ..S.R 222,784 217.56 K
k480le~1.dll Sat Jan 8 2005 5:59:46a ..S.R 222,595 217.38 K
lv8m09~1.dll Sat Jan 8 2005 12:28:42a ..S.R 222,784 217.56 K
thumbs.db Sat Jan 8 2005 1:26:02a A.SH. 12,800 12.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 680,963 bytes 665.00 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"DAEMON Tools-1033"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"Mirabilis ICQ"="D:\\PROGRA~1\\ICQ\\ICQNet.exe"
"CloneCDTray"="\"h:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




Silent Runners Log



"Silent Runners.vbs", revision 29, launched at: 00:53
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"SpybotSD TeaTimer" = "d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Spyware Doctor" = ""D:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"DAEMON Tools-1033" = ""D:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_RegCleaner" = "C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT" ["GRISOFT, s.r.o."]
"Mirabilis ICQ" = "D:\PROGRA~1\ICQ\ICQNet.exe" [null data]
"CloneCDTray" = ""h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Spyware Doctor" = (no data)

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> CLSID InProcServer32 resolves to: "d:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\lcmmfu.cpl" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\aod\aodshext.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> CLSID InProcServer32 resolves to: "D:\program files\ICQ\ICQShExt.dll" ["ICQ"]
"{ACC9E969-30C5-4483-BC11-2016A17E3FE7}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dliman32.dll" [null data]
"{E78444FD-00AB-460D-A229-A4BCD8BF3ABD}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nftmsg.dll" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Control Panel\DLLName" = "C:\WINDOWS\system32\lv8m09l1e.dll" [null data]



Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Norton Unerase Protection, NProtectService, "d:\Program Files\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "d:\Program Files\Speed Disk\nopdb.exe" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


Hope that helps a bit.

#10 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 10 January 2005 - 11:03 AM

It showed the the qoologic files and guard.tmp.

qoologic, but no guard, it seems.

Please perform the steps in exact order for best results.
Read through them carefully first to avoid confusion.
We will do this in stages.
HJT use will come after we are certain of results found in the first steps.
That's what we are leading up to.

Print out, Copy/paste these instructions to a notepad/wordpad or choose file-->save page as: HJT instructions.
You Internet connection doesn't work in safe mode, but you'll have these instructions to assist you.

Download & Install System Security Suite
Install this program, look it over, read about it, but don't run it yet.
Download HostFix which will restore your original host file. Don't run it yet.
Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option.
  • Use checkmark in the Use Dummy checkbox.
  • Check Use Dummy each time, since it clears between steps.
  • Paste C:\WINDOWS\system32\lv8m09l1e.dll into the top Full Path of File to Delete field.
  • Click the Delete File button which looks like a stop sign.
  • Click Yes at the Replace on Reboot prompt.
  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files.
The only difference is that you will be substituting the file listed above with each of the files below.
C:\WINDOWS\system32\dnj8011ue.dll
C:\WINDOWS\system32\k480lelm1hqa.dll
C:\WINDOWS\System32\Guard.tmp


After you add the last file, when prompted to reboot,
you should press the Yes button to allow it to do so.

Do not reboot more than once.
The Guard.tmp will probably recreate on reboot
but will be an easy kill next time we do it.

Run Finditnt2000xp (find.bat) again.
Post the new log as a reply to this post.
We'll both know what to do next, then.

Let the PC run uninterupted, please.

Edited by phawgg, 10 January 2005 - 04:19 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#11 tiburon77

tiburon77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 11 January 2005 - 03:37 AM

Thanks again for all the help.

Did everything you said and rebooted.

Here's the new logs.



HiJackThis Log



Logfile of HijackThis v1.99.0
Scan saved at 2:00:24 AM, on 01/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
d:\Program Files\Norton Utilities\NPROTECT.EXE
d:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
D:\program files\Spybot - Search & Destroy\TeaTimer.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CloneCDTray] "h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - d:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - d:\Program Files\Speed Disk\nopdb.exe



FindIt Log



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/11/2005 01:56 AM 222,784 derpsetu.dll
01/11/2005 01:39 AM 56 h2l20c3oef.dll
01/09/2005 05:24 PM 222,784 lv8s09l7e.dll

12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 10:37 PM <DIR> Microsoft
3 File(s) 445,624 bytes
2 Dir(s) 1,411,366,912 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 01:40 PM 488 logonui.exe.manifest
05/05/2004 01:40 PM 488 WindowsLogon.manifest
05/05/2004 01:39 PM 749 nwc.cpl.manifest
05/05/2004 01:39 PM 749 sapi.cpl.manifest
05/05/2004 01:39 PM 749 ncpa.cpl.manifest
05/05/2004 01:39 PM 749 wuaucpl.cpl.manifest
05/05/2004 01:39 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 1,411,366,912 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{93DC3B59-E2FF-4596-8E10-F19BA099E928}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv8s09l7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
derpsetu.dll Tue Jan 11 2005 1:56:52a ..S.R 222,784 217.56 K
h2l20c~1.dll Tue Jan 11 2005 1:39:46a ..S.R 56 0.05 K
lv8s09~1.dll Sun Jan 9 2005 5:24:04p ..S.R 222,784 217.56 K

3 items found: 3 files, 0 directories.
Total of file sizes: 445,624 bytes 435.18 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"DAEMON Tools-1033"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"Mirabilis ICQ"="D:\\PROGRA~1\\ICQ\\ICQNet.exe"
"CloneCDTray"="\"h:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"
"SESync"="\"C:\\Program Files\\SED\\SED.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"



Silent Runners Log



"Silent Runners.vbs", revision 29, launched at: 02:19
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"SpybotSD TeaTimer" = "d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Spyware Doctor" = ""D:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"DAEMON Tools-1033" = ""D:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
"AVG7_RegCleaner" = "C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT" ["GRISOFT, s.r.o."]
"Mirabilis ICQ" = "D:\PROGRA~1\ICQ\ICQNet.exe" [null data]
"CloneCDTray" = ""h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]
"VBundleOuterDL" = "C:\Program Files\VBouncer\BundleOuter.EXE" [file not found]
"SESync" = ""C:\Program Files\SED\SED.exe"" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Spyware Doctor" = (no data)

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> CLSID InProcServer32 resolves to: "d:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\lcmmfu.cpl" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> CLSID InProcServer32 resolves to: "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\aod\aodshext.dll" [null data]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> CLSID InProcServer32 resolves to: "D:\program files\ICQ\ICQShExt.dll" ["ICQ"]
"{ACC9E969-30C5-4483-BC11-2016A17E3FE7}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\derpsetu.dll" [null data]
"{E78444FD-00AB-460D-A229-A4BCD8BF3ABD}" = (no title provided)
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\nftmsg.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "Run\DLLName" = "C:\WINDOWS\system32\lv8s09l7e.dll" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Norton Unerase Protection, NProtectService, "d:\Program Files\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "d:\Program Files\Speed Disk\nopdb.exe" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
---------

Just about the same with different filenames, no guard this time. VBouncer and SED are new in there. Recycle bin still not working.

#12 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 11 January 2005 - 05:18 PM

Tiburon, we are making progress. It is "normal and common" that
it may take a few "killbox sessions" before we should address
the other things that appear in your log.
The guard is gone.

Run KillBox again.
  • Select the Replace on Reboot option.
  • Use checkmark in the Use Dummy checkbox.
  • Check Use Dummy each time, since it clears between steps.
  • Paste C:\\WINDOWS\\system32\\lv8s09l7e.dll into the top Full Path of File to Delete field.
  • Click the Delete File button which looks like a stop sign.
  • Click Yes at the Replace on Reboot prompt.
  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files.
The only difference is that you will be substituting the file listed above with each of the files below.
C:\WINDOWS\system32\derpsetu.dll
C:\WINDOWS\system32\ h2l20c3oef.dll


After you add the last file, when prompted to reboot,
you should press the Yes button to allow it to do so.

Do not reboot more than once.

Run Finditnt2000xp (find.bat) again.
Post the new log as a reply to this post.
Again, then we'll both know better, what to do next.
Another HJT log, also.
I'm ignoring the SilentRunner report, for the most part.

Edited by phawgg, 11 January 2005 - 05:21 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#13 tiburon77

tiburon77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 11 January 2005 - 07:06 PM

Heres the newest logs. Definetely looking much cleaner. S&D still shows DSO exploits and many CWS, probably because the hosts file is still messed up.

Logfile of HijackThis v1.99.0
Scan saved at 5:35:33 PM, on 01/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
d:\Program Files\Norton Utilities\NPROTECT.EXE
d:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CloneCDTray] "h:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] d:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\program files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - d:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - d:\Program Files\Speed Disk\nopdb.exe

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 10:37 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 1,340,157,952 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

12/18/2004 05:13 AM <DIR> dllcache
05/05/2004 01:40 PM 488 logonui.exe.manifest
05/05/2004 01:40 PM 488 WindowsLogon.manifest
05/05/2004 01:39 PM 749 nwc.cpl.manifest
05/05/2004 01:39 PM 749 sapi.cpl.manifest
05/05/2004 01:39 PM 749 ncpa.cpl.manifest
05/05/2004 01:39 PM 749 wuaucpl.cpl.manifest
05/05/2004 01:39 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 1,340,157,952 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/11/2005 04:49 PM 222,784 guard.tmp
1 File(s) 222,784 bytes
0 Dir(s) 1,340,153,856 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 8C41-9CCD

Directory of C:\WINDOWS\System32

01/11/2005 04:49 PM 222,784 guard.tmp
1 File(s) 222,784 bytes
0 Dir(s) 1,340,153,856 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{93DC3B59-E2FF-4596-8E10-F19BA099E928}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DateTime]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h2l20c3oef.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe"
"AtiPTA"="atiptaxx.exe"
"DAEMON Tools-1033"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"
"Mirabilis ICQ"="D:\\PROGRA~1\\ICQ\\ICQNet.exe"
"CloneCDTray"="\"h:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"SESync"="\"C:\\Program Files\\SED\\SED.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




#14 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 11 January 2005 - 07:17 PM

S&D still shows DSO exploits and many CWS, probably because the hosts file is still messed up.

Yes, we haven't even begun to fight. We'll use HJT soon.
In spybot, 5 DSO exploits can be disabled in the Advanced mode-->settings-->ignore products-->security tab since it is a "glitch. Have spybot ignore it. Later.

The CWS is slightly different.

We should see improvements in it soon.

Checking again, expect our reply in a while.
patiently patrolling, plenty of persisant pests n' problems ...

#15 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:01:09 AM

Posted 11 January 2005 - 11:02 PM

tiburon, we're not quite ready to use HJT yet.

Run KillBox again.
  • Select the Replace on Reboot option.
  • Use checkmark in the Use Dummy checkbox.
  • Check Use Dummy each time, since it clears between steps.
  • Paste C:\\WINDOWS\\system32\\h2l20c3oef.dll into the top Full Path of File to Delete field.
  • Click the Delete File button which looks like a stop sign.
  • Click Yes at the Replace on Reboot prompt.
  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files.
The only difference is that you will be substituting the file listed above with each of the files below.
C:\WINDOWS\system32\nftmsg.dll
C:\WINDOWS\system32\guard.tmp

After you add the last file, when prompted to reboot,
you should press the Yes button to allow it to do so.
Do not reboot more than once.

Run Finditnt2000xp (find.bat) again.
Post the new log as a reply to this post. With a fresh HJT log, too.
next time we'll probably use HJT to close in on the real culprit(s)

Edited by phawgg, 11 January 2005 - 11:05 PM.

patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users