Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Pls help


  • This topic is locked This topic is locked
1 reply to this topic

#1 deity

deity

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 08 January 2005 - 10:46 AM

THIS PROBLEM IS NOW SOLVED - I WORKED OUT THE SOLUTION BY READING ANOTHER POST IN THESE FORUMS. (searched on guard.tmp).

"kILLBOX" ROCKS!

THANKS BLEEDING COMPUTER.


Hi ppl

This one has me beat.

It appears to be a VX2 variant that re-inatslls itself every time its removed. at the point of removal it immeadiately restarts explorer (the desktop disappears, an explorer window opens an an additional quickstart toolbar appears next to the "Start" button.

I've used Adaware se, HijackThis and Pest Patrol. I've tracker down 2 files which are obviously associated withit but am unable to delete them due to sharing violations (even in safe mode). They are j40s0ed7eh0.dll m8nq0i55e8.dll and guard.tmp al are 218 KB. a copy of the guard file is attached.

---------- HJT Log ----------------

Logfile of HijackThis v1.98.2
Scan saved at 7:13:59 AM, on 9/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
C:\WINNT\system32\crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\slpservice.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\slpmonx.exe
C:\WINNT\System32\TSIRCSRV.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\TSI32\tsircusr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\system32\hppropty.exe
C:\PROGRA~1\PERFEC~1\OPTICA~1\V3.0\LWB3DAPP.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\RNmail\rn.exe
C:\WINNT\system32\HPJETDSC.EXE
C:\WINNT\system32\HPJETDSC.EXE
C:\Program Files\Conversions Plus\MacName.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Billionton\Bluetooth Software\BTTray.exe
C:\PROGRA~1\ERICSSON\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\SpamBuster\spamBuster.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\NeoTracePro\NeoTrace.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.dlslawyers.com;www.dls-lawyers.com;
http://192.168.1.151;http://www.powermedia.com.au; ebay.com.au; ebay.co
http://www.tradingpost.com.au;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\TSI32\tsircusr.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [HP LaserJet ToolBox] hppropty.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\PROGRA~1\PERFEC~1\OPTICA~1\V3.0\LWB3DAPP.EXE
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKLM\..\Run: [ActiveTracker for Outlook Express] C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [RNmail] "C:\Program Files\RNmail\rn.exe" /path "C:\Program Files\RNmail"
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: TrueSync Launcher.lnk = C:\Program Files\Starfish\TrueSync\TSTool.exe
O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe
O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe
O4 - Global Startup: SmartCapture.lnk = C:\WINNT\Seiko\slpcap.exe
O4 - Global Startup: SmartNetMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Billionton\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F8A4244-F647-476B-B4AB-EB96FF1685B2}: NameServer = 203.164.20.11,203.164.20.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mirnd1.nsw.optushome.com.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F8A4244-F647-476B-B4AB-EB96FF1685B2}: NameServer = 203.164.20.11,203.164.20.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mirnd1.nsw.optushome.com.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F8A4244-F647-476B-B4AB-EB96FF1685B2}: NameServer = 203.164.20.11,203.164.20.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mirnd1.nsw.optushome.com.au



----------- Findit log -----------------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Nasty vx2 infection\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B867-4AFC

Directory of C:\WINNT\System32

06/06/2002 12:51a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 797,302,784 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B867-4AFC

Directory of C:\WINNT\System32

03/04/2004 04:40a 582 ws045380.ocx
03/04/2004 04:09a 511 ws230193.ocx
13/03/2004 09:31p 38,249 install.log
28/07/2003 11:08a 51,907 Hpjahlp.GID
21/07/2003 04:45p 31,843 timesync.GID
19/03/2003 03:21p 268,681 R_DK_PCLXL_600_11.csv
19/03/2003 03:19p 268,663 R_HK_PCLXL_600_11.csv
19/03/2003 12:35p 24,504 R_DK_RPDL_400.csv
19/03/2003 12:21p 32,078 R_DK_RPDL_600.csv
19/03/2003 12:21p 32,390 R_HK_RPDL_600.csv
19/03/2003 12:21p 135,193 R_HK_RPCS_ALL.csv
19/03/2003 12:20p 24,499 R_HK_RPDL_400.csv
19/03/2003 12:20p 135,209 R_DK_RPCS_ALL.csv
19/03/2003 11:12a 355,585 R_HK_PCL5E_600.csv
19/03/2003 11:08a 245,783 R_HK_PCL5E_300.csv
13/03/2003 07:55p 243,953 R_DK_PCL5E_300.csv
13/03/2003 07:54p 355,674 R_DK_PCL5E_600.csv
12/03/2003 06:17p 2,594 R_HK_RPDL_1200.csv
12/03/2003 06:16p 2,594 R_DK_RPDL_1200.csv
05/03/2003 07:56p 19,969 R_HK_PCLXL_1200_11.csv
05/03/2003 07:56p 19,203 R_DK_PCLXL_1200_11.csv
12/11/2002 02:15p 8,628 testpage.GID
06/06/2002 02:59a <DIR> GroupPolicy
06/06/2002 12:51a <DIR> dllcache
29/03/2002 03:45a 21,692 FOLDER.HTT
29/03/2002 03:45a 271 DESKTOP.INI
18/09/2001 01:40p 1,774 R_HK_IPDLC_ALL.csv
18/09/2001 01:40p 1,771 R_DK_IPDLC_ALL.csv
05/11/2000 08:57p 230 R_DHK_IPDLC_NOMEM.csv
27 File(s) 2,324,030 bytes
2 Dir(s) 797,294,592 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is B867-4AFC

Directory of C:\WINNT\System32

09/01/2005 07:16a 222,677 guard.tmp
09/01/2005 07:02a 222,677 Copy of guard tmp.bak
2 File(s) 445,354 bytes
0 Dir(s) 797,286,400 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is B867-4AFC

Directory of C:\WINNT\System32

09/01/2005 07:16a 222,677 guard.tmp
1 File(s) 222,677 bytes
0 Dir(s) 797,278,208 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{DCB333C0-35FC-4A35-AB6F-A62EEAD01DFD}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CSCSettings]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINNT\\system32\\j40s0ed7eh0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify]
"DllName"="PCANotify.dll"
"Startup"="WLEventStartup"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe"
"Synchronization Manager"="mobsync.exe /logon"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"MacLicense"="\"C:\\Program Files\\Conversions Plus\\MacLic.exe\""
"Iomega Startup Options"="C:\\Program Files\\Iomega\\Common\\ImgStart.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe"
"HP LaserJet ToolBox"="hppropty.exe"
"LWBMOUSE"="C:\\PROGRA~1\\PERFEC~1\\OPTICA~1\\V3.0\\LWB3DAPP.EXE"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"JobHisInit"="C:\\Program Files\\RMClient\\JobHisInit.exe"
"MplSetUp"="C:\\Program Files\\RMClient\\MplSetUp.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"XTNDConnect PC - ErPhn2"="C:\\PROGRA~1\\COMMON~1\\XCPCSync\\TRANSL~1\\ErPhn2\\ErTray.exe"
"ActiveTracker for Outlook Express"="C:\\Program Files\\ActiveTracker 2.0 for Outlook Express\\ReadNotify.exe"
"NeroFilterCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"PestPatrol Control Center"="C:\\PROGRA~1\\PESTPA~1\\PPControl.exe"
"PPMemCheck"="C:\\PROGRA~1\\PESTPA~1\\PPMemCheck.exe"
"CookiePatrol"="C:\\PROGRA~1\\PESTPA~1\\CookiePatrol.exe"
"RNmail"="\"C:\\Program Files\\RNmail\\rn.exe\" /path \"C:\\Program Files\\RNmail\""
"PestPatrolCL"=""
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"





Thanks for looking at this.

Attached Files


Edited by deity, 08 January 2005 - 01:45 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:49 PM

Posted 08 January 2005 - 10:36 PM

GOod job!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users