|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
03-14-2005, 12:51 PM
|
#1 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
HJT Log
Hello all,
The boss sent someone over to me last week so I could look at his personal laptop which was apparently giving the guy fits. Turns out it was infected with an outrageous number of spyware and adware programs. I've run Ad Aware SE, Spybot, and even Microsofts Beta version, plus I've run AVG. Now the definitions aren't 100% up to date because I'm afraid to hook this thing up to the network because every time it boots up it tries to connect to www.search-pounder.com and www.a-d-w-a-r-e.com, but since it isn't hooked up to a phone line it can't do anything. One item I know it had was 'Surf Side Kick' which I think I've gotten rid of. Here's the HJT log I'm left with, which has been run through the analyzer. Any advice is appreciated: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:22:12 PM, on 3/14/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\WINDOWS\System32\sysmonnt.exe C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) O4 - HKLM\..\Run: [TV Now] C:\Program Files\Utilities\Notebook Utilities\HpTvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\o666lgjs16o6.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
     |
| Sponsored Links |
|
03-14-2005, 11:06 PM
|
#2 (permalink) |
|
Analyst, Security Team
|
You have two antivirus programs installed (TrendMicro and AVG). Uninstall one of them now - don't have both.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINDOWS\System32\sysmonnt.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file) O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\System32\sysmonnt.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-15-2005, 07:05 AM
|
#3 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
Good morning,
Got rid of TrendMicro, and followed your instructions. I was able to delete the sysmonnt.exe file in safe mode, but the 2 items you indicated for removal in HJT weren't available to fix until I rebooted into normal mode. When I rebooted into normal mode, the attempt to connect was still occuring. I've now fixed the R3 URL Search Hook, and the 04 HKCU sysmonnt items, but didn't want to reboot again in case there were other steps based on my new log. Here is this morning's log. Thank you so much for your assistance, Paul ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 6:34:15 AM, on 3/15/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; O4 - HKLM\..\Run: [TV Now] C:\Program Files\Utilities\Notebook Utilities\HpTvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O20 - Winlogon Notify: Run - C:\WINDOWS\system32\hrjs0517e.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
03-15-2005, 06:12 PM
|
#4 (permalink) |
|
Analyst, Security Team
|
You may restart before giving us a new log (so it's more up-to-date after doing the deletions).
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O20 - Winlogon Notify: Run - C:\WINDOWS\system32\hrjs0517e.dll Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\hrjs0517e.dll Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-16-2005, 05:39 AM
|
#5 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
Good morning,
It is not going well this morning. Every time I reboot, the 020 Winlogon Notify line changes. And even when I try to delete whatever new dll file name it tosses at me, it tells me the file is in use, and I must shut something down in order to delete it. Usually I only have the Search window open, or a Windows Explorer window that I used to navigate to the C:\WINDOWS\SYSTEM32 folder with. I have done this in both Safe mode, and Normal mode (see note below about how I've been booting into Safe Mode) I'm giving you another analyzed HJT file that was done after a normal reboot. Also, I just realized something that may or may not make a difference, but for some reason I can't get f8 to launch safe mode on this laptop (an hp pavilion xt155), so I've been using msconfig and choosing the Diagnostic Start up. Thanks again for your assistance, Paul ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 5:35:23 AM, on 3/16/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\u0ru0a99ed.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
03-17-2005, 11:12 AM
|
#7 (permalink) |
|
Analyst, Security Team
|
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet.
Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the Generate StartupList log button. Post that log in your next post. Right click on this link and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on Silent Runners to run it. This will take a few minutes. It will create a file called Startup Programs followed by your computer name and current date. Open up that file and post all the contents here in your next post. Download Find-qoologic. Unzip the files to your Desktop. Open the qoologic folder and run the qoologic.bat file. Wait a few minutes for it to finish. When the dos window disappears, go to your C: drive and open up the log.txt file. Copy and paste the whole log in your next post. Download DllCompare and run it. Click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on Make a log of what was found. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare. Download Find It and unzip it. Open up the folder and double click on the find.bat file. Let it run for a while. After it's finished, open up file. Copy and paste the contents to the forums. Post all of the logs in your next post. We need them all to get a fix for this infection.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-17-2005, 12:19 PM
|
#8 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
All right, that took a bit, but I think I've got everything. Qoologic ran, but there isn't much in the log, don't know if that's a problem, or if it simply did what it was supposed to.
Again, thanks for the assistance! Paul Here's the Startup List Log StartupList report, 3/17/2005, 11:26:53 AM StartupList version: 1.52.2 Started from : C:\hijackthis\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\windows\system\hpsysdrv.exe C:\Windows\system32\HpSrvUI.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\WINDOWS\System32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\hijackthis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER QT4HPOT = C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE Presentation Ready = C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d hpsysdrv = c:\windows\system\hpsysdrv.exe hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe hp Silent Service = C:\Windows\system32\HpSrvUI.exe gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" dla = C:\WINDOWS\system32\dla\tfswctrl.exe Display Settings = C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s CARPService = carpserv.exe AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 5,109 bytes Report generated in 0.150 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Silent RUnner log: "Silent Runners.vbs", revision 29, launched at: 11:31 Output limited to non-default values, except where indicated by "{++}" Operating System: Windows XP Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."] "RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."] "QT4HPOT" = "C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE" ["Dritek System Inc."] "Presentation Ready" = "C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r" ["Hewlett-Packard"] "PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data] "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"] "hpScannerFirstBoot" = "c:\hp\drivers\scanners\scannerfb.exe" ["Hewlett-Packard Co."] "hp Silent Service" = "C:\Windows\system32\HpSrvUI.exe" ["Hewlett-Packard Co."] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."] "Display Settings" = "C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s" ["Hewlett-Packard"] "CARPService" = "carpserv.exe" ["Conexant Systems, Inc."] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{C46B2FE9-4E97-41F4-9729-7CCD6C174125}" = "HP Notebook Utilities" -> CLSID InProcServer32 resolves to: "C:\Program Files\Utilities\Notebook Utilities\hpnbcpex.dll" ["Hewlett-Packard Co."] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."] "{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online" -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."] "{918E9A48-6797-47EA-BE96-DA555E96C981}" = (no title provided) -> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\iietcomm.dll" [file not found] "{6420135A-397A-444A-BB0C-248CFC4A8DCB}" = (no title provided) -> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\kcdbene.dll" [null data] "{5C36201D-AECC-470C-A092-5E69B7E24829}" = (no title provided) -> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\avi3duag.dll" [null data] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! "OemStartMenuData\DLLName" = "C:\WINDOWS\system32\u0ru0a99ed.dll" [null data] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] HP Configuration Interface Service, HPConfig, "C:\WINDOWS\system32\HPConfig.exe" ["Hewlett-Packard"] HPWirelessMgr, HPWirelessMgr, "C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe" ["Hewlett-Packard Co."] WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- qoologic C:\Documents and Settings\Owner\Desktop\Find-qoologic\qoologic PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ Files Found in all users startup Folder............ ------------------------ dllcompare log: * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM32\aenbho.dll Fri Mar 4 2005 11:25:34a ..S.R 231,046 225.63 K C:\WINDOWS\SYSTEM32\afvpack.dll Wed Feb 23 2005 5:47:14p ..S.R 229,736 224.35 K C:\WINDOWS\SYSTEM32\agctres.dll Mon Mar 14 2005 11:19:58a ..S.R 231,046 225.63 K C:\WINDOWS\SYSTEM32\avi3duag.dll Wed Mar 16 2005 5:22:30a ..S.R 229,083 223.71 K C:\WINDOWS\SYSTEM32\cmmcat.dll Fri Mar 4 2005 11:20:24a ..S.R 232,141 226.70 K C:\WINDOWS\SYSTEM32\cutsrvps.dll Fri Mar 4 2005 8:32:06a ..S.R 231,502 226.07 K C:\WINDOWS\SYSTEM32\dccpmon.dll Fri Mar 4 2005 11:14:26a ..S.R 232,141 226.70 K C:\WINDOWS\SYSTEM32\ddmasf.dll Fri Mar 4 2005 12:19:08p ..S.R 231,255 225.83 K C:\WINDOWS\SYSTEM32\di32gt.dll Wed Mar 16 2005 5:04:24a ..S.R 230,326 224.93 K C:\WINDOWS\SYSTEM32\domsvinn.dll Thu Mar 3 2005 10:48:50a ..S.R 231,502 226.07 K C:\WINDOWS\SYSTEM32\dwtmsft.dll Mon Mar 14 2005 12:43:14p ..S.R 231,205 225.79 K C:\WINDOWS\SYSTEM32\dy8vb.dll Fri Mar 4 2005 11:32:28a ..S.R 231,255 225.83 K C:\WINDOWS\SYSTEM32\en66l1~1.dll Sun Feb 27 2005 6:44:38p ..S.R 229,736 224.35 K C:\WINDOWS\SYSTEM32\hqetcfg.dll Tue Mar 15 2005 6:29:02a ..S.R 229,611 224.23 K C:\WINDOWS\SYSTEM32\hr8605~1.dll Wed Mar 16 2005 5:29:16a ..S.R 230,758 225.35 K C:\WINDOWS\SYSTEM32\ieq.dll Wed Mar 16 2005 4:58:58a ..S.R 230,931 225.52 K C:\WINDOWS\SYSTEM32\iumontr.dll Mon Mar 14 2005 11:51:04a ..S.R 231,046 225.63 K C:\WINDOWS\SYSTEM32\jgvaee.dll Fri Mar 4 2005 12:02:20p ..S.R 231,046 225.63 K C:\WINDOWS\SYSTEM32\kcdbene.dll Wed Mar 16 2005 5:29:16a ..S.R 230,073 224.68 K C:\WINDOWS\SYSTEM32\kcdhe319.dll Fri Mar 4 2005 11:21:40a ..S.R 228,745 223.38 K C:\WINDOWS\SYSTEM32\khdlt1.dll Tue Mar 15 2005 4:35:10a ..S.R 231,504 226.08 K C:\WINDOWS\SYSTEM32\kjuser.dll Fri Mar 11 2005 12:09:52p ..S.R 231,195 225.77 K C:\WINDOWS\SYSTEM32\ktdes.dll Mon Mar 14 2005 11:33:48a ..S.R 231,290 225.87 K C:\WINDOWS\SYSTEM32\mfc42.dll Sat Aug 18 2001 4:00:00a A.SH. 995,383 972.05 K C:\WINDOWS\SYSTEM32\moaudite.dll Wed Feb 23 2005 6:24:12p ..S.R 231,502 226.07 K C:\WINDOWS\SYSTEM32\msvcirt.dll Sat Aug 18 2001 4:00:00a A.SH. 50,688 49.50 K C:\WINDOWS\SYSTEM32\msvcp60.dll Sat Aug 18 2001 4:00:00a A.SH. 401,462 392.05 K C:\WINDOWS\SYSTEM32\msvcrt.dll Sat Aug 18 2001 4:00:00a A.SH. 322,560 315.00 K C:\WINDOWS\SYSTEM32\myrddm.dll Tue Mar 15 2005 6:12:44a ..S.R 229,188 223.82 K C:\WINDOWS\SYSTEM32\mzc40u.dll Fri Mar 4 2005 8:51:50a ..S.R 232,272 226.83 K C:\WINDOWS\SYSTEM32\nimarta.dll Tue Mar 15 2005 6:19:28a ..S.R 229,287 223.91 K C:\WINDOWS\SYSTEM32\npvdmd.dll Tue Mar 15 2005 6:31:20a ..S.R 230,326 224.93 K C:\WINDOWS\SYSTEM32\ohbctrac.dll Thu Mar 3 2005 10:23:06a ..S.R 231,502 226.07 K C:\WINDOWS\SYSTEM32\oleaut32.dll Sat Aug 18 2001 4:00:00a A.SH. 569,344 556.00 K C:\WINDOWS\SYSTEM32\olepro32.dll Sat Aug 18 2001 4:00:00a A.SH. 106,496 104.00 K C:\WINDOWS\SYSTEM32\pllmon.dll Thu Mar 3 2005 10:57:48a ..S.R 232,272 226.83 K C:\WINDOWS\SYSTEM32\pqrfctrs.dll Fri Mar 4 2005 11:00:06a ..S.R 231,591 226.16 K C:\WINDOWS\SYSTEM32\qidwipes.dll Fri Mar 4 2005 11:23:38a ..S.R 229,625 224.24 K C:\WINDOWS\SYSTEM32\rupcfgex.dll Fri Mar 11 2005 11:13:20a ..S.R 231,046 225.63 K C:\WINDOWS\SYSTEM32\rvutetab.dll Wed Mar 16 2005 5:19:38a ..S.R 231,111 225.69 K C:\WINDOWS\SYSTEM32\u0ru0a~1.dll Wed Mar 16 2005 5:22:30a ..S.R 230,073 224.68 K C:\WINDOWS\SYSTEM32\wdn32spl.dll Wed Mar 16 2005 5:08:46a ..S.R 231,111 225.69 K C:\WINDOWS\SYSTEM32\wfigest.dll Fri Mar 4 2005 9:00:18a ..S.R 231,502 226.07 K C:\WINDOWS\SYSTEM32\wgnetmgr.dll Fri Mar 4 2005 11:19:06a ..S.R 228,279 222.93 K C:\WINDOWS\SYSTEM32\wpashext.dll Wed Mar 16 2005 5:14:42a ..S.R 229,148 223.78 K C:\WINDOWS\SYSTEM32\wwwfax.dll Fri Mar 4 2005 10:38:40a ..S.R 231,591 226.16 K ________________________________________________ 1,160 items found: 1,160 files (46 H/S), 0 directories. Total of file sizes: 212,208,855 bytes 202.38 M Administrator Account = True --------------------End log--------------------- Find It Log: Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\WINDOWS\system32 ------- System Files in System32 Directory ------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/16/2005 05:29 AM 230,073 kcdbene.dll 03/16/2005 05:29 AM 230,758 hr8605lse.dll 03/16/2005 05:22 AM 229,083 avi3duag.dll 03/16/2005 05:22 AM 230,073 u0ru0a99ed.dll 03/16/2005 05:19 AM 231,111 rvutetab.dll 03/16/2005 05:14 AM 229,148 wpashext.dll 03/16/2005 05:08 AM 231,111 wdn32spl.dll 03/16/2005 05:04 AM 230,326 di32gt.dll 03/16/2005 04:58 AM 230,931 ieq.dll 03/15/2005 06:31 AM 230,326 npvdmd.dll 03/15/2005 06:29 AM 229,611 hqetcfg.dll 03/15/2005 06:19 AM 229,287 nimarta.dll 03/15/2005 06:12 AM 229,188 myrddm.dll 03/15/2005 04:35 AM 231,504 khdlt1.dll 03/14/2005 12:43 PM 231,205 dwtmsft.dll 03/14/2005 12:24 PM <DIR> dllcache 03/14/2005 11:51 AM 231,046 iumontr.dll 03/14/2005 11:33 AM 231,290 ktdes.dll 03/14/2005 11:19 AM 231,046 agctres.dll 03/11/2005 12:09 PM 231,195 kjuser.dll 03/11/2005 11:13 AM 231,046 rupcfgex.dll 03/04/2005 12:19 PM 231,255 ddmasf.dll 03/04/2005 12:02 PM 231,046 jGvaee.dll 03/04/2005 11:32 AM 231,255 dy8vb.dll 03/04/2005 11:25 AM 231,046 AENBHO.dll 03/04/2005 11:23 AM 229,625 qidwipes.dll 03/04/2005 11:21 AM 228,745 kcdhe319.dll 03/04/2005 11:20 AM 232,141 cmmcat.dll 03/04/2005 11:19 AM 228,279 wgnetmgr.dll 03/04/2005 11:14 AM 232,141 dccpmon.dll 03/04/2005 11:00 AM 231,591 pqrfctrs.dll 03/04/2005 10:38 AM 231,591 wwwfax.dll 03/04/2005 09:00 AM 231,502 wfigest.dll 03/04/2005 08:51 AM 232,272 mzc40u.dll 03/04/2005 08:32 AM 231,502 cUtsrvps.dll 03/03/2005 10:57 AM 232,272 pllmon.dll 03/03/2005 10:48 AM 231,502 domsvinn.dLL 03/03/2005 10:23 AM 231,502 ohbctrac.dll 02/27/2005 06:44 PM 229,736 en66l1js1.dll 02/23/2005 06:24 PM 231,502 moaudite.dll 02/23/2005 05:47 PM 229,736 afvpack.dll 10/10/2002 10:38 AM <DIR> Microsoft 08/18/2001 04:00 AM 401,462 msvcp60.dll 08/18/2001 04:00 AM 106,496 olepro32.dll 08/18/2001 04:00 AM 569,344 oleaut32.dll 08/18/2001 04:00 AM 322,560 msvcrt.dll 08/18/2001 04:00 AM 9,728 regsvr32.exe 08/18/2001 04:00 AM 50,688 msvcirt.dll 08/18/2001 04:00 AM 995,383 mfc42.dll 47 File(s) 11,685,260 bytes 2 Dir(s) 23,638,061,056 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/14/2005 12:24 PM <DIR> dllcache 10/10/2002 09:16 AM 488 logonui.exe.manifest 10/10/2002 09:16 AM 488 WindowsLogon.manifest 10/10/2002 09:16 AM 749 cdplayer.exe.manifest 10/10/2002 09:16 AM 749 sapi.cpl.manifest 10/10/2002 09:16 AM 749 nwc.cpl.manifest 10/10/2002 09:16 AM 749 ncpa.cpl.manifest 10/10/2002 09:16 AM 749 wuaucpl.cpl.manifest 08/18/2001 04:00 AM 569,344 oleaut32.dll 08/18/2001 04:00 AM 106,496 olepro32.dll 08/18/2001 04:00 AM 9,728 regsvr32.exe 08/18/2001 04:00 AM 50,688 msvcirt.dll 08/18/2001 04:00 AM 995,383 mfc42.dll 08/18/2001 04:00 AM 401,462 msvcp60.dll 08/18/2001 04:00 AM 322,560 msvcrt.dll 14 File(s) 2,460,382 bytes 1 Dir(s) 23,638,056,960 bytes free ------------ Files Named "Guard" --------------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 ------ Temp Files in System32 Directory ------ Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 08/18/2001 04:00 AM 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 23,638,056,960 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{73FF33F8-E486-44D3-A9E6-CD5E856ECCCB}"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OemStartMenuData] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\u0ru0a99ed.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ------------- Locate.com Results ------------- -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results --------- -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r" "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "QT4HPOT"="C:\\PROGRA~1\\UTILIT~1\\ONE-TO~1\\OneTouch.EXE" "Presentation Ready"="C:\\Program Files\\Utilities\\Presentation Ready\\PresRdy.exe -r" "PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d" "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "hpScannerFirstBoot"="c:\\hp\\drivers\\scanners\\scannerfb.exe" "hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "Display Settings"="C:\\Program Files\\Utilities\\Notebook Utilities\\hptasks.exe /s" "CARPService"="carpserv.exe" "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" |
|
|
|
|
03-17-2005, 12:52 PM
|
#9 (permalink) |
|
Analyst, Security Team
|
OK, you have a lot to delete here, so take your time on this.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete OemStartMenuData Next go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ and delete these: {918E9A48-6797-47EA-BE96-DA555E96C981} {6420135A-397A-444A-BB0C-248CFC4A8DCB} {5C36201D-AECC-470C-A092-5E69B7E24829} If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\system32\iietcomm.dll C:\WINDOWS\system32\avi3duag.dll C:\WINDOWS\system32\kcdbene.dll c:\windows\system32\aenbho.dll c:\windows\system32\afvpack.dll c:\windows\system32\agctres.dll c:\windows\system32\avi3duag.dll c:\windows\system32\cmmcat.dll c:\windows\system32\cutsrvps.dll c:\windows\system32\dccpmon.dll c:\windows\system32\ddmasf.dll c:\windows\system32\di32gt.dll c:\windows\system32\domsvinn.dll c:\windows\system32\dwtmsft.dll c:\windows\system32\dy8vb.dll c:\windows\system32\en66l1~1.dll c:\windows\system32\hqetcfg.dll c:\windows\system32\hr8605~1.dll c:\windows\system32\ieq.dll c:\windows\system32\iumontr.dll c:\windows\system32\jgvaee.dll c:\windows\system32\kcdbene.dll c:\windows\system32\kcdhe319.dll c:\windows\system32\khdlt1.dll c:\windows\system32\kjuser.dll c:\windows\system32\ktdes.dll c:\windows\system32\moaudite.dll c:\windows\system32\myrddm.dll c:\windows\system32\mzc40u.dll c:\windows\system32\nimarta.dll c:\windows\system32\npvdmd.dll c:\windows\system32\ohbctrac.dll c:\windows\system32\pllmon.dll c:\windows\system32\pqrfctrs.dll c:\windows\system32\qidwipes.dll c:\windows\system32\rupcfgex.dll c:\windows\system32\rvutetab.dll c:\windows\system32\u0ru0a~1.dll c:\windows\system32\u0ru0a99ed.dll c:\windows\system32\wdn32spl.dll c:\windows\system32\wfigest.dll c:\windows\system32\wgnetmgr.dll c:\windows\system32\wpashext.dll c:\windows\system32\wwwfax.dll If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run the CleanUp program now and choose Yes when it asks if you want to log off. Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-18-2005, 05:31 AM
|
#10 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
Good morning,
Here's the next set of logs. Still have the connection trying to take place after deleting all that stuff and restarting. Again, thank you for your continued assistance! Paul HJT Log ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 4:40:40 AM, on 3/18/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\WINDOWS\System32\DLA\TFSWCMD.EXE C:\WINDOWS\System32\rasautou.exe C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\hr8605lse.dll (file missing) O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\guard.tmp O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== HJT Startup: StartupList report, 3/18/2005, 4:41:34 AM StartupList version: 1.52.2 Started from : C:\hijackthis\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\windows\system\hpsysdrv.exe C:\Windows\system32\HpSrvUI.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\WINDOWS\System32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\DLA\TFSWCMD.EXE C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\WINDOWS\System32\rasautou.exe C:\hijackthis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER QT4HPOT = C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE Presentation Ready = C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d hpsysdrv = c:\windows\system\hpsysdrv.exe hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe hp Silent Service = C:\Windows\system32\HpSrvUI.exe gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" dla = C:\WINDOWS\system32\dla\tfswctrl.exe Display Settings = C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s CARPService = carpserv.exe AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 5,212 bytes Report generated in 0.050 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Dll Compare: * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM32\kcdbene.dll Wed Mar 16 2005 5:29:16a ..S.R 230,073 224.68 K C:\WINDOWS\SYSTEM32\mfc42.dll Sat Aug 18 2001 4:00:00a A.SH. 995,383 972.05 K C:\WINDOWS\SYSTEM32\msvcirt.dll Sat Aug 18 2001 4:00:00a A.SH. 50,688 49.50 K C:\WINDOWS\SYSTEM32\msvcp60.dll Sat Aug 18 2001 4:00:00a A.SH. 401,462 392.05 K C:\WINDOWS\SYSTEM32\msvcrt.dll Sat Aug 18 2001 4:00:00a A.SH. 322,560 315.00 K C:\WINDOWS\SYSTEM32\oleaut32.dll Sat Aug 18 2001 4:00:00a A.SH. 569,344 556.00 K C:\WINDOWS\SYSTEM32\olepro32.dll Sat Aug 18 2001 4:00:00a A.SH. 106,496 104.00 K ________________________________________________ 1,122 items found: 1,122 files (7 H/S), 0 directories. Total of file sizes: 203,439,402 bytes 194.01 M Administrator Account = True --------------------End log--------------------- quoologic: C:\Documents and Settings\Owner\Desktop\Find-qoologic\qoologic PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results --------- Files Found in all users startup Folder............ ------------------------ Silent Runner: "Silent Runners.vbs", revision 29, launched at: 04:43 Output limited to non-default values, except where indicated by "{++}" Operating System: Windows XP Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."] "RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."] "QT4HPOT" = "C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE" ["Dritek System Inc."] "Presentation Ready" = "C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r" ["Hewlett-Packard"] "PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data] "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"] "hpScannerFirstBoot" = "c:\hp\drivers\scanners\scannerfb.exe" ["Hewlett-Packard Co."] "hp Silent Service" = "C:\Windows\system32\HpSrvUI.exe" ["Hewlett-Packard Co."] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."] "Display Settings" = "C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s" ["Hewlett-Packard"] "CARPService" = "carpserv.exe" ["Conexant Systems, Inc."] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{C46B2FE9-4E97-41F4-9729-7CCD6C174125}" = "HP Notebook Utilities" -> CLSID InProcServer32 resolves to: "C:\Program Files\Utilities\Notebook Utilities\hpnbcpex.dll" ["Hewlett-Packard Co."] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."] "{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online" -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{6420135A-397A-444A-BB0C-248CFC4A8DCB}" = (no title provided) -> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\guard.tmp" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! "ShellScrap\DLLName" = "C:\WINDOWS\system32\hr8605lse.dll" [file not found] INFECTION WARNING! "SMDEn\DLLName" = "C:\WINDOWS\system32\guard.tmp" [null data] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] HP Configuration Interface Service, HPConfig, "C:\WINDOWS\system32\HPConfig.exe" ["Hewlett-Packard"] HPWirelessMgr, HPWirelessMgr, "C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe" ["Hewlett-Packard Co."] WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- Find It: Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/17/2005 01:56 PM 230,073 guard.tmp 03/16/2005 05:29 AM 230,073 kcdbene.dll 03/14/2005 12:24 PM <DIR> dllcache 10/10/2002 10:38 AM <DIR> Microsoft 08/18/2001 04:00 AM 995,383 mfc42.dll 08/18/2001 04:00 AM 50,688 msvcirt.dll 08/18/2001 04:00 AM 401,462 msvcp60.dll 08/18/2001 04:00 AM 322,560 msvcrt.dll 08/18/2001 04:00 AM 569,344 oleaut32.dll 08/18/2001 04:00 AM 106,496 olepro32.dll 08/18/2001 04:00 AM 9,728 regsvr32.exe 9 File(s) 2,915,807 bytes 2 Dir(s) 23,636,529,152 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/14/2005 12:24 PM <DIR> dllcache 10/10/2002 09:16 AM 488 logonui.exe.manifest 10/10/2002 09:16 AM 488 WindowsLogon.manifest 10/10/2002 09:16 AM 749 cdplayer.exe.manifest 10/10/2002 09:16 AM 749 sapi.cpl.manifest 10/10/2002 09:16 AM 749 nwc.cpl.manifest 10/10/2002 09:16 AM 749 ncpa.cpl.manifest 10/10/2002 09:16 AM 749 wuaucpl.cpl.manifest 08/18/2001 04:00 AM 569,344 oleaut32.dll 08/18/2001 04:00 AM 106,496 olepro32.dll 08/18/2001 04:00 AM 9,728 regsvr32.exe 08/18/2001 04:00 AM 50,688 msvcirt.dll 08/18/2001 04:00 AM 995,383 mfc42.dll 08/18/2001 04:00 AM 401,462 msvcp60.dll 08/18/2001 04:00 AM 322,560 msvcrt.dll 14 File(s) 2,460,382 bytes 1 Dir(s) 23,636,525,056 bytes free ------------ Files Named "Guard" --------------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/17/2005 01:56 PM 230,073 guard.tmp 1 File(s) 230,073 bytes 0 Dir(s) 23,636,525,056 bytes free ------ Temp Files in System32 Directory ------ Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/17/2005 01:56 PM 230,073 guard.tmp 08/18/2001 04:00 AM 2,577 CONFIG.TMP 2 File(s) 232,650 bytes 0 Dir(s) 23,636,525,056 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{73FF33F8-E486-44D3-A9E6-CD5E856ECCCB}"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellScrap] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\hr8605lse.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\guard.tmp" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ------------- Locate.com Results ------------- C:\WINDOWS\SYSTEM32\ guard.tmp Thu Mar 17 2005 1:56:10p ..S.R 230,073 224.68 K kcdbene.dll Wed Mar 16 2005 5:29:16a ..S.R 230,073 224.68 K 2 items found: 2 files, 0 directories. Total of file sizes: 460,146 bytes 449.36 K -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results --------- C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results --------- C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results --------- -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r" "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "QT4HPOT"="C:\\PROGRA~1\\UTILIT~1\\ONE-TO~1\\OneTouch.EXE" "Presentation Ready"="C:\\Program Files\\Utilities\\Presentation Ready\\PresRdy.exe -r" "PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d" "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "hpScannerFirstBoot"="c:\\hp\\drivers\\scanners\\scannerfb.exe" "hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "Display Settings"="C:\\Program Files\\Utilities\\Notebook Utilities\\hptasks.exe /s" "CARPService"="carpserv.exe" "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" |
|
|
|
|
03-18-2005, 08:27 AM
|
#11 (permalink) |
|
Analyst, Security Team
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete SMDEn Next go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete ShellScrap Then go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ and delete {6420135A-397A-444A-BB0C-248CFC4A8DCB} If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Check and fix these in HijackThis if they are still there: O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\hr8605lse.dll (file missing) O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\guard.tmp Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\SYSTEM32\guard.tmp C:\WINDOWS\SYSTEM32\kcdbene.dll C:\WINDOWS\system32\hr8605lse.dll If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run the CleanUp program now and choose Yes when it asks if you want to log off. Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-18-2005, 08:46 AM
|
#12 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
For some reason, I'm not finding that 3rd file you are asking me to kill with the Killbox.
Additional question: Once I'm done entering all the file names into the killbox, I just exit out of it, or I leave it running? And because these 2 things might make a difference, the laptop went into hibernation while it's been sitting here today, and I have one of the 'Network Connection' attempts open. I'm not sure if I should leave it alone, or what. I can cancel it, or I can check a box that says 'Don't ask me again until the next time I log on' and then cancel. Killbox still open and waiting for instructions on how to procede. Thanks again for all this assistance, Paul |
|
|
|
|
03-18-2005, 09:57 AM
|
#13 (permalink) |
|
Analyst, Security Team
|
Try this:
Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hitting Enter after each new line): cd C:\WINDOWS\SYSTEM32\ attrib -s -r -h kcdbene.dll del kcdbene.dll attrib -s -r -h hr8605lse.dll del hr8605lse.dll exit Yes, you may close KillBox. Restart and give us a new set of all those logs you posted previously.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-18-2005, 10:06 AM
|
#14 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
attrib -s -r -h hr8605lse.dll
Gives me a file not found error. I even played around with letter 0 vs zero, and letter L vs. number 1, with no luck. Should I just continue on with everything else? Thanks, Paul |
|
|
|
|
03-18-2005, 10:22 AM
|
#15 (permalink) |
|
Analyst, Security Team
|
Yes, proceed with the remaining fixes.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-18-2005, 11:23 AM
|
#16 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
I believe we're getting somewhere. Thank you for all this effort!
When I restarted this time I got a Runtime Error in Program:\??\C:\WINDOWS\SYSTEM32\WINLOGON.EXE Before I could write down the rest of the error, it continued with the reboot, and I honestly don't remember what the error was. Now, on this reboot, we have NOT seen any connection attempts. Yipee! ;) Here are the logs, I'm sure we still have a bit of work ahead of us, and again, I thank you for the help. I hope the gentleman who owns the computer appreciates it as much as I do. Thanks, Paul Hijack This Log: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:42:14 AM, on 3/18/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\guard.tmp (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== Hijack This Startup Log: StartupList report, 3/18/2005, 10:43:03 AM StartupList version: 1.52.2 Started from : C:\hijackthis\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\windows\system\hpsysdrv.exe C:\Windows\system32\HpSrvUI.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\WINDOWS\System32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\hijackthis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER QT4HPOT = C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE Presentation Ready = C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d hpsysdrv = c:\windows\system\hpsysdrv.exe hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe hp Silent Service = C:\Windows\system32\HpSrvUI.exe gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" dla = C:\WINDOWS\system32\dla\tfswctrl.exe Display Settings = C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s CARPService = carpserv.exe AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 5,108 bytes Report generated in 0.050 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Silent Runner StartupList report, 3/18/2005, 10:43:03 AM StartupList version: 1.52.2 Started from : C:\hijackthis\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\windows\system\hpsysdrv.exe C:\Windows\system32\HpSrvUI.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\WINDOWS\System32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\hijackthis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER QT4HPOT = C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE Presentation Ready = C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d hpsysdrv = c:\windows\system\hpsysdrv.exe hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe hp Silent Service = C:\Windows\system32\HpSrvUI.exe gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" dla = C:\WINDOWS\system32\dla\tfswctrl.exe Display Settings = C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s CARPService = carpserv.exe AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 5,108 bytes Report generated in 0.050 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only qoologic C:\Documents and Settings\Owner\Desktop\Find-qoologic\qoologic PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results --------- Files Found in all users startup Folder............ ------------------------ * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM32\m664lg~1.dll Thu Mar 17 2005 1:56:10p ..S.R 230,073 224.68 K C:\WINDOWS\SYSTEM32\mfc42.dll Sat Aug 18 2001 4:00:00a A.SH. 995,383 972.05 K C:\WINDOWS\SYSTEM32\msvcirt.dll Sat Aug 18 2001 4:00:00a A.SH. 50,688 49.50 K C:\WINDOWS\SYSTEM32\msvcp60.dll Sat Aug 18 2001 4:00:00a A.SH. 401,462 392.05 K C:\WINDOWS\SYSTEM32\msvcrt.dll Sat Aug 18 2001 4:00:00a A.SH. 322,560 315.00 K C:\WINDOWS\SYSTEM32\oleaut32.dll Sat Aug 18 2001 4:00:00a A.SH. 569,344 556.00 K C:\WINDOWS\SYSTEM32\olepro32.dll Sat Aug 18 2001 4:00:00a A.SH. 106,496 104.00 K ________________________________________________ 1,121 items found: 1,121 files (7 H/S), 0 directories. Total of file sizes: 203,209,329 bytes 193.79 M Administrator Account = True --------------------End log--------------------- Find It * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM32\m664lg~1.dll Thu Mar 17 2005 1:56:10p ..S.R 230,073 224.68 K C:\WINDOWS\SYSTEM32\mfc42.dll Sat Aug 18 2001 4:00:00a A.SH. 995,383 972.05 K C:\WINDOWS\SYSTEM32\msvcirt.dll Sat Aug 18 2001 4:00:00a A.SH. 50,688 49.50 K C:\WINDOWS\SYSTEM32\msvcp60.dll Sat Aug 18 2001 4:00:00a A.SH. 401,462 392.05 K C:\WINDOWS\SYSTEM32\msvcrt.dll Sat Aug 18 2001 4:00:00a A.SH. 322,560 315.00 K C:\WINDOWS\SYSTEM32\oleaut32.dll Sat Aug 18 2001 4:00:00a A.SH. 569,344 556.00 K C:\WINDOWS\SYSTEM32\olepro32.dll Sat Aug 18 2001 4:00:00a A.SH. 106,496 104.00 K ________________________________________________ 1,121 items found: 1,121 files (7 H/S), 0 directories. Total of file sizes: 203,209,329 bytes 193.79 M Administrator Account = True --------------------End log--------------------- |
|
|
|
|
03-18-2005, 12:52 PM
|
#17 (permalink) |
|
Analyst, Security Team
|
We should be getting there.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ and delete {6420135A-397A-444A-BB0C-248CFC4A8DCB} If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Go into HijackThis and fix this one: O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\guard.tmp (file missing) Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\SYSTEM32\m664lg~1.dll C:\WINDOWS\system32\guard.tmp If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run the CleanUp program now and choose Yes when it asks if you want to log off. Restart and run these programs/scripts again - HijackThis (both the scan log and the StartupList), Silent Runners, Find-qoologic, DllCompare and Find-It. Post those new logs here.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
03-21-2005, 05:44 AM
|
#18 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
Good morning!
Here's the new set of logs. Sorry it took so long, I tried to get them done Friday afternoon before I left work, but I ran out of time, so I just did them all this morning. Thanks again for the assistance! Paul ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 4:58:11 AM, on 3/21/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4nb.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE O4 - HKLM\..\Run: [Presentation Ready] C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r O4 - HKLM\..\Run: [Display Settings] C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/info/e-center-p O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\m664lgjq16oe.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== StartupList report, 3/21/2005, 4:58:49 AM StartupList version: 1.52.2 Started from : C:\hijackthis\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE C:\windows\system\hpsysdrv.exe C:\Windows\system32\HpSrvUI.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Utilities\Notebook Utilities\hptasks.exe C:\WINDOWS\System32\carpserv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\hijackthis\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe StorageGuard = "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER QT4HPOT = C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE Presentation Ready = C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r PreloadApp = c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d hpsysdrv = c:\windows\system\hpsysdrv.exe hpScannerFirstBoot = c:\hp\drivers\scanners\scannerfb.exe hp Silent Service = C:\Windows\system32\HpSrvUI.exe gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" dla = C:\WINDOWS\system32\dla\tfswctrl.exe Display Settings = C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s CARPService = carpserv.exe AVG7_EMC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\ss3dfo.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F} -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 5,107 bytes Report generated in 0.060 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only "Silent Runners.vbs", revision 29, launched at: 04:59 Output limited to non-default values, except where indicated by "{++}" Operating System: Windows XP Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."] "RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."] "QT4HPOT" = "C:\PROGRA~1\UTILIT~1\ONE-TO~1\OneTouch.EXE" ["Dritek System Inc."] "Presentation Ready" = "C:\Program Files\Utilities\Presentation Ready\PresRdy.exe -r" ["Hewlett-Packard"] "PreloadApp" = "c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d" [null data] "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"] "hpScannerFirstBoot" = "c:\hp\drivers\scanners\scannerfb.exe" ["Hewlett-Packard Co."] "hp Silent Service" = "C:\Windows\system32\HpSrvUI.exe" ["Hewlett-Packard Co."] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."] "Display Settings" = "C:\Program Files\Utilities\Notebook Utilities\hptasks.exe /s" ["Hewlett-Packard"] "CARPService" = "carpserv.exe" ["Conexant Systems, Inc."] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{C46B2FE9-4E97-41F4-9729-7CCD6C174125}" = "HP Notebook Utilities" -> CLSID InProcServer32 resolves to: "C:\Program Files\Utilities\Notebook Utilities\hpnbcpex.dll" ["Hewlett-Packard Co."] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."] "{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online" -> CLSID InProcServer32 resolves to: "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> CLSID InProcServer32 resolves to: "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! "MS-DOS Emulation\DLLName" = "C:\WINDOWS\system32\m664lgjq16oe.dll" [file not found] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] HP Configuration Interface Service, HPConfig, "C:\WINDOWS\system32\HPConfig.exe" ["Hewlett-Packard"] HPWirelessMgr, HPWirelessMgr, "C:\Program Files\Utilities\Notebook Utilities\HPWirelessMgr.exe" ["Hewlett-Packard Co."] WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- C:\Documents and Settings\Owner\Desktop\Find-qoologic\qoologic PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results --------- Files Found in all users startup Folder............ ------------------------ * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM32\mfc42.dll Sat Aug 18 2001 4:00:00a A.SH. 995,383 972.05 K C:\WINDOWS\SYSTEM32\msvcirt.dll Sat Aug 18 2001 4:00:00a A.SH. 50,688 49.50 K C:\WINDOWS\SYSTEM32\msvcp60.dll Sat Aug 18 2001 4:00:00a A.SH. 401,462 392.05 K C:\WINDOWS\SYSTEM32\msvcrt.dll Sat Aug 18 2001 4:00:00a A.SH. 322,560 315.00 K C:\WINDOWS\SYSTEM32\oleaut32.dll Sat Aug 18 2001 4:00:00a A.SH. 569,344 556.00 K C:\WINDOWS\SYSTEM32\olepro32.dll Sat Aug 18 2001 4:00:00a A.SH. 106,496 104.00 K ________________________________________________ 1,120 items found: 1,120 files (6 H/S), 0 directories. Total of file sizes: 202,979,256 bytes 193.57 M Administrator Account = True --------------------End log--------------------- Warning! This utility will find legitimate files in addition to malware. Do not remove anything unless you are sure you know what you're doing. Find.bat is running from: C:\Documents and Settings\Owner\Desktop\Find It NT-2K-XP\Find It NT-2K-XP ------- System Files in System32 Directory ------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/14/2005 12:24 PM <DIR> dllcache 10/10/2002 10:38 AM <DIR> Microsoft 08/18/2001 04:00 AM 995,383 mfc42.dll 08/18/2001 04:00 AM 50,688 msvcirt.dll 08/18/2001 04:00 AM 401,462 msvcp60.dll 08/18/2001 04:00 AM 322,560 msvcrt.dll 08/18/2001 04:00 AM 569,344 oleaut32.dll 08/18/2001 04:00 AM 106,496 olepro32.dll 08/18/2001 04:00 AM 9,728 regsvr32.exe 7 File(s) 2,455,661 bytes 2 Dir(s) 23,637,102,592 bytes free ------- Hidden Files in System32 Directory ------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 03/14/2005 12:24 PM <DIR> dllcache 10/10/2002 09:16 AM 488 logonui.exe.manifest 10/10/2002 09:16 AM 488 WindowsLogon.manifest 10/10/2002 09:16 AM 749 cdplayer.exe.manifest 10/10/2002 09:16 AM 749 sapi.cpl.manifest 10/10/2002 09:16 AM 749 nwc.cpl.manifest 10/10/2002 09:16 AM 749 ncpa.cpl.manifest 10/10/2002 09:16 AM 749 wuaucpl.cpl.manifest 08/18/2001 04:00 AM 569,344 oleaut32.dll 08/18/2001 04:00 AM 106,496 olepro32.dll 08/18/2001 04:00 AM 9,728 regsvr32.exe 08/18/2001 04:00 AM 50,688 msvcirt.dll 08/18/2001 04:00 AM 995,383 mfc42.dll 08/18/2001 04:00 AM 401,462 msvcp60.dll 08/18/2001 04:00 AM 322,560 msvcrt.dll 14 File(s) 2,460,382 bytes 1 Dir(s) 23,637,098,496 bytes free ------------ Files Named "Guard" --------------- Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 ------ Temp Files in System32 Directory ------ Volume in drive C is NOTEBOOK Volume Serial Number is D482-D55F Directory of C:\WINDOWS\System32 08/18/2001 04:00 AM 2,577 CONFIG.TMP 1 File(s) 2,577 bytes 0 Dir(s) 23,637,098,496 bytes free ------------------ User Agent ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "{73FF33F8-E486-44D3-A9E6-CD5E856ECCCB}"="" ------------- Keys Under Notify ------------- REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MS-DOS Emulation] "Asynchronous"=dword:00000000 "DllName"="C:\\WINDOWS\\system32\\m664lgjq16oe.dll" "Impersonate"=dword:00000000 "Logon"="WinLogon" "Logoff"="WinLogoff" "Shutdown"="WinShutdown" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 ------------- Locate.com Results ------------- No matches found. -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results -------- C:\WINDOWS\system32\output.txt: -------- Strings.exe Qoologic Results -------- --------- Strings.exe Aspack Results --------- C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results --------- C:\WINDOWS\system32\output.txt: --------- Strings.exe Aspack Results --------- -------------- HKLM Run Key ---------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe" "SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe" "StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r" "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "QT4HPOT"="C:\\PROGRA~1\\UTILIT~1\\ONE-TO~1\\OneTouch.EXE" "Presentation Ready"="C:\\Program Files\\Utilities\\Presentation Ready\\PresRdy.exe -r" "PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d" "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "hpScannerFirstBoot"="c:\\hp\\drivers\\scanners\\scannerfb.exe" "hp Silent Service"="C:\\Windows\\system32\\HpSrvUI.exe" "gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"" "dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe" "Display Settings"="C:\\Program Files\\Utilities\\Notebook Utilities\\hptasks.exe /s" "CARPService"="carpserv.exe" "AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe" |
|
|
|
|
03-21-2005, 06:20 PM
|
#19 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Go to c:\windows\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:
127.0.0.1 localhost If you have anything after that, please post them here.
__________________
 GO BIG BLUE!! |
|
|
|
|
03-22-2005, 05:08 AM
|
#20 (permalink) |
|
Registered User
Join Date: Mar 2005
Posts: 17
OS: Win XP
|
All right...the hosts file in c:\windows\system32\drivers\etc is totally empty. a 0 kb file with nothing in it when I open it in notepad.
There are two other hosts files in that directory called: hosts.20050303-103807 and hosts.20050303-103824 and there is a hosts file in the c:\windows directory. All 3 of the 'extra' hosts files contain lots of reference to what sound like porn sites. Do you want to see what is in those files, or should I simply delete them? Also, should I be doing anything about this line in the HJT log I posted in my previous post: O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\m664lgjq16oe.dll (file missing) Continued thanks for the assistance, Paul |
|
|
|
| Thread Tools | |
|
|
