Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log-jgreg32


  • Please log in to reply
38 replies to this topic

#1 jgreg32

jgreg32

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 06 January 2005 - 11:26 PM

Hey Guys, sorry to bother you.
While doing some hw my little bro somehow got this stuff on my pc again. I tried all the spyware programs, as well as the new microsoft software. Can you please help? Thanks a lot in advance


Logfile of HijackThis v1.98.2
Scan saved at 11:22:34 PM, on 1/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\ntnut.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\k\Application Data\oesn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Opms] C:\Documents and Settings\k\Application Data\oesn.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O15 - Trusted Zone: *.slotchbar.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097173516009
O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - http://www.mathxl.com/applets/econcvx.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:35 PM

Posted 07 January 2005 - 12:41 AM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log

#3 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 January 2005 - 08:20 AM

Will do so when i get home from work tonight. Thanks

#4 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 January 2005 - 02:00 PM

New log:

Logfile of HijackThis v1.99.0
Scan saved at 1:56:05 PM, on 1/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\ntnut.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\k\Application Data\oesn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Opms] C:\Documents and Settings\k\Application Data\oesn.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097173516009
O16 - DPF: {6491E7CB-F83B-4D31-8F99-6384A633FE58} (EconCVX Control) - http://www.mathxl.com/applets/econcvx.cab
O23 - Service: TrueVector Internet Monitor - Unknown - C:\WINDOWS\system32\ZONELABS\vsmon.exe (file missing)

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:35 PM

Posted 07 January 2005 - 02:29 PM

Download the following file:

http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip


and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).

Please copy and paste that log here.

From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.

#6 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 January 2005 - 03:42 PM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\k\Desktop\01-07-05\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/07/2005 01:41 PM 224,735 n68olgl316q.dll
01/07/2005 01:41 PM 223,349 wtweb.dll
01/06/2005 10:45 PM 223,349 jtjm0711e.dll
01/06/2005 10:40 PM 32,256 shdocpe.dll
11/08/2004 01:10 PM 11,264 atlor.exe
11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
03/22/2004 06:36 PM <DIR> dllcache
7 File(s) 1,103,339 bytes
1 Dir(s) 14,594,048,000 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/06/2005 10:40 PM 32,256 shdocpe.dll
11/08/2004 01:10 PM 11,264 atlor.exe
11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
10/03/2004 01:03 PM 899 vsconfig.xml
10/02/2004 12:57 PM 4,212 zllictbl.dat
03/22/2004 07:54 PM 488 WindowsLogon.manifest
03/22/2004 07:54 PM 488 logonui.exe.manifest
03/22/2004 07:54 PM 749 wuaucpl.cpl.manifest
03/22/2004 07:54 PM 749 cdplayer.exe.manifest
03/22/2004 07:54 PM 749 ncpa.cpl.manifest
03/22/2004 07:54 PM 749 nwc.cpl.manifest
03/22/2004 07:54 PM 749 sapi.cpl.manifest
03/22/2004 06:36 PM <DIR> dllcache
13 File(s) 441,738 bytes
1 Dir(s) 14,594,031,616 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/06/2005 10:40 PM 7,168 telnet.exe.tmp
09/22/2004 06:46 PM 3,371,008 SETFB.tmp
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/23/2001 06:00 PM 2,577 CONFIG.TMP
4 File(s) 4,617,233 bytes
0 Dir(s) 14,593,998,848 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E401E79B-94D6-4244-BC11-5EC3F7242B50}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\jtjm0711e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
shdocpe.dll Thu Jan 6 2005 10:40:16p ..SHR 32,256 31.50 K
gwsaf.txt Sun Oct 10 2004 8:59:00p A.SH. 3,362 3.28 K
atlor.exe Mon Nov 8 2004 1:10:40p A.SH. 11,264 11.00 K
wnlogo~1.exe Thu Nov 4 2004 10:27:16a ..SHR 385,024 376.00 K
jtjm07~1.dll Thu Jan 6 2005 10:45:56p ..S.R 223,349 218.11 K
n68olg~1.dll Fri Jan 7 2005 1:41:02p ..S.R 224,735 219.46 K
wtweb.dll Fri Jan 7 2005 1:41:02p ..S.R 223,349 218.11 K

7 items found: 7 files, 0 directories.
Total of file sizes: 1,103,339 bytes 1.05 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\Bmkddg32.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"Fast start"="C:\\WINDOWS\\system32\\ntnut.exe home"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"VBouncer"="C:\\PROGRA~1\\VBOUNCER\\VirtualBouncer.exe"




#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:35 PM

Posted 07 January 2005 - 03:50 PM

Please print out these instructions as you will be required to reboot your computer at times. Please read these directions before you proceed so that you understand what you will be doing.

Step 1:

Download the Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
  • Select the Replace on Reboot option and put a checkmark in the Use Dummy checkbox if it is not checked. Make sure the Use Dummy checkbox is checked as it clears each time you do these steps.

  • Paste this file into the top Full Path of File to Delete field.


    C:\WINDOWS\system32\n68olgl316q.dll

  • Click the Delete File button which looks like a stop sign.

  • Click Yes at the Replace on Reboot prompt.

  • Click No at the Pending Operations prompt.
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.

C:\WINDOWS\system32\wtweb.dll
C:\WINDOWS\system32\jtjm0711e.dll
C:\WINDOWS\system32\shdocpe.dll
C:\WINDOWS\system32\atlor.exe
C:\WINDOWS\system32\Bmkddg32.exe
C:\WINDOWS\System32\Guard.tmp

After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.


Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.


Step 2:


Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.

#8 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 January 2005 - 08:31 PM

I get a 404 error message when trying to download killbox

#9 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 07 January 2005 - 10:04 PM

I found the link to killbox from another thread. Here is the new log



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\k\Desktop\01-07-05\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/07/2005 09:53 PM 223,349 guard.tmp
11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
03/22/2004 06:36 PM <DIR> dllcache
3 File(s) 611,735 bytes
1 Dir(s) 14,583,742,464 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
10/03/2004 01:03 PM 899 vsconfig.xml
10/02/2004 12:57 PM 4,212 zllictbl.dat
03/22/2004 07:54 PM 488 WindowsLogon.manifest
03/22/2004 07:54 PM 488 logonui.exe.manifest
03/22/2004 07:54 PM 749 wuaucpl.cpl.manifest
03/22/2004 07:54 PM 749 cdplayer.exe.manifest
03/22/2004 07:54 PM 749 ncpa.cpl.manifest
03/22/2004 07:54 PM 749 nwc.cpl.manifest
03/22/2004 07:54 PM 749 sapi.cpl.manifest
03/22/2004 06:36 PM <DIR> dllcache
11 File(s) 398,218 bytes
1 Dir(s) 14,583,726,080 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/07/2005 09:53 PM 223,349 guard.tmp
1 File(s) 223,349 bytes
0 Dir(s) 14,583,709,696 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/07/2005 09:53 PM 223,349 guard.tmp
01/06/2005 10:40 PM 7,168 telnet.exe.tmp
09/22/2004 06:46 PM 3,371,008 SETFB.tmp
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/23/2001 06:00 PM 2,577 CONFIG.TMP
5 File(s) 4,840,582 bytes
0 Dir(s) 14,583,693,312 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E401E79B-94D6-4244-BC11-5EC3F7242B50}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n68olgl316q.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
gwsaf.txt Sun Oct 10 2004 8:59:00p A.SH. 3,362 3.28 K
wnlogo~1.exe Thu Nov 4 2004 10:27:16a ..SHR 385,024 376.00 K
guard.tmp Fri Jan 7 2005 9:53:06p ..S.R 223,349 218.11 K

3 items found: 3 files, 0 directories.
Total of file sizes: 611,735 bytes 597.39 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\zsoauo.dll: updates.qoologic.com
C:\WINDOWS\system32\pxzqmz.exe: updates.qoologic.com
C:\WINDOWS\system32\giypzy.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\qgavya.dat: .aspack
C:\WINDOWS\system32\yqikoi.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"Fast start"="C:\\WINDOWS\\system32\\ntnut.exe home"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"VBouncer"="C:\\PROGRA~1\\VBOUNCER\\VirtualBouncer.exe"
"Narrator"="C:\\WINDOWS\\System32\\yqikoi.exe"




#10 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 08 January 2005 - 01:37 PM

I can no longer access the internet on the infected computer. I am afraid that if I restart the comp i will use the previouse fix. Please advise. My computer keeps running processes and did not go into stand by for the past 3 hours. Thanks

#11 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 08 January 2005 - 01:52 PM

Computer shut off and restarted 5 times before going back to desktop. Please help. Internet is working on that machine for now if i need to post new logs. Please advise.

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:35 PM

Posted 08 January 2005 - 07:11 PM

I know its scary, but I promise we will get you fixed :thumbsup:

Post a new findit log

#13 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 08 January 2005 - 08:16 PM

Thanks for your help. here is the new log after the comp restarted



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\k\Desktop\01-07-05\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/07/2005 09:53 PM 223,349 jtrm0791e.dll
11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
03/22/2004 06:36 PM <DIR> dllcache
3 File(s) 611,735 bytes
1 Dir(s) 14,553,300,992 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
10/03/2004 01:03 PM 899 vsconfig.xml
10/02/2004 12:57 PM 4,212 zllictbl.dat
03/22/2004 07:54 PM 488 WindowsLogon.manifest
03/22/2004 07:54 PM 488 logonui.exe.manifest
03/22/2004 07:54 PM 749 wuaucpl.cpl.manifest
03/22/2004 07:54 PM 749 cdplayer.exe.manifest
03/22/2004 07:54 PM 749 ncpa.cpl.manifest
03/22/2004 07:54 PM 749 nwc.cpl.manifest
03/22/2004 07:54 PM 749 sapi.cpl.manifest
03/22/2004 06:36 PM <DIR> dllcache
11 File(s) 398,218 bytes
1 Dir(s) 14,553,284,608 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/06/2005 10:40 PM 7,168 telnet.exe.tmp
09/22/2004 06:46 PM 3,371,008 SETFB.tmp
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/23/2001 06:00 PM 2,577 CONFIG.TMP
4 File(s) 4,617,233 bytes
0 Dir(s) 14,553,251,840 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E401E79B-94D6-4244-BC11-5EC3F7242B50}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n68olgl316q.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
gwsaf.txt Sun Oct 10 2004 8:59:00p A.SH. 3,362 3.28 K
wnlogo~1.exe Thu Nov 4 2004 10:27:16a ..SHR 385,024 376.00 K
jtrm07~1.dll Fri Jan 7 2005 9:53:06p ..S.R 223,349 218.11 K

3 items found: 3 files, 0 directories.
Total of file sizes: 611,735 bytes 597.39 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\zsoauo.dll: updates.qoologic.com
C:\WINDOWS\system32\pxzqmz.exe: updates.qoologic.com
C:\WINDOWS\system32\giypzy.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\qgavya.dat: .aspack
C:\WINDOWS\system32\yqikoi.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"Fast start"="C:\\WINDOWS\\system32\\ntnut.exe home"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"VBouncer"="C:\\PROGRA~1\\VBOUNCER\\VirtualBouncer.exe"
"Narrator"="C:\\WINDOWS\\System32\\yqikoi.exe"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"




#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:35 PM

Posted 08 January 2005 - 09:22 PM

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter c:\windows\system32\ jtrm0791e.dll into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

Then give me a last findit log and a hijackthis log

#15 jgreg32

jgreg32
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 09 January 2005 - 02:23 AM

HijackThis shuts off on O23 NT Services. It says windows encountered an error and needs to shut down. will try again later
here is the new find it log



Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\k\Desktop\01-07-05\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
03/22/2004 06:36 PM <DIR> dllcache
2 File(s) 388,386 bytes
1 Dir(s) 14,753,923,072 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

11/04/2004 10:27 AM 385,024 w?nlogon.exe
10/10/2004 08:59 PM 3,362 gwsaf.txt
10/03/2004 01:03 PM 899 vsconfig.xml
10/02/2004 12:57 PM 4,212 zllictbl.dat
03/22/2004 07:54 PM 488 WindowsLogon.manifest
03/22/2004 07:54 PM 488 logonui.exe.manifest
03/22/2004 07:54 PM 749 wuaucpl.cpl.manifest
03/22/2004 07:54 PM 749 cdplayer.exe.manifest
03/22/2004 07:54 PM 749 ncpa.cpl.manifest
03/22/2004 07:54 PM 749 nwc.cpl.manifest
03/22/2004 07:54 PM 749 sapi.cpl.manifest
03/22/2004 06:36 PM <DIR> dllcache
11 File(s) 398,218 bytes
1 Dir(s) 14,753,906,688 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B0B8-3A7C

Directory of C:\WINDOWS\System32

01/06/2005 10:40 PM 7,168 telnet.exe.tmp
09/22/2004 06:46 PM 3,371,008 SETFB.tmp
08/03/2004 11:56 PM 1,236,480 msxml3.dll.tmp
08/23/2001 06:00 PM 2,577 CONFIG.TMP
4 File(s) 4,617,233 bytes
0 Dir(s) 14,753,873,920 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E401E79B-94D6-4244-BC11-5EC3F7242B50}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IPConfTSP]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\n68olgl316q.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
wnlogo~1.exe Thu Nov 4 2004 10:27:16a ..SHR 385,024 376.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 385,024 bytes 376.00 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\zsoauo.dll: updates.qoologic.com
C:\WINDOWS\system32\pxzqmz.exe: updates.qoologic.com
C:\WINDOWS\system32\giypzy.dll: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\qgavya.dat: .aspack
C:\WINDOWS\system32\yqikoi.exe: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe /startup"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"Fast start"="C:\\WINDOWS\\system32\\ntnut.exe home"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"VBouncer"="C:\\PROGRA~1\\VBOUNCER\\VirtualBouncer.exe"
"Narrator"="C:\\WINDOWS\\System32\\yqikoi.exe"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users