|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-09-2005, 12:13 AM
|
#1 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
loadingwebsite.com issues
Hello and thank you for your help!
About two weeks ago random browser popups started showing up, some entitled loadingwebsite.com. I have followed all your instructions in your "read this first" for this forum. Bleow is my updated logfile after running hijackthis analyzer: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\NavNT\Rtvscan.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 12:58:00 AM, on 4/9/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\system32\rlrpnl.exe C:\Program Files\WeatherBeetle\WB.exe C:\Program Files\tools\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlrpnl.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - Startup: WeatherBeetle.lnk = C:\Program Files\WeatherBeetle\WB.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdc...ad/tgctlcm.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\en2sl1f71.dll O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\CJ\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thank you again for looking into this! cj2k |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-09-2005, 08:35 AM
|
#2 (permalink) |
|
Old Timer
Join Date: Sep 2003
Location: Northern Arizona
Posts: 7,958
OS: Vista Home Premium, SP 27
|
Greetings, and welcome to TSF!
Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds. Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run HiJackThis then: 1. Click "Config..." 2. Click "Misc Tools" 3. Click "Open Process manager" - Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following: C:\WINDOWS\system32\rlrpnl.exe Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain. Run HiJackThis and click "Scan", then check(tick) the following, if present: O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlrpnl.exe O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\en2sl1f71.dll Now, with all windows closed except HiJackThis, click "Fix checked". When your done, rescan your system and make sure the following isn't present: N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed. Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: files... C:\WINDOWS\system32\rlrpnl.exe C:\WINDOWS\system32\n20050308.EXE C:\WINDOWS\system32\en2sl1f71.dll -Note that some of these file(s) may or may not be present. [/b]Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. |
|
|
|
|
04-09-2005, 10:36 AM
|
#3 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
new log thanks
I followed your instructions and here is the new log. Thanks Again!
:::: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\Rtvscan.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:29:55 AM, on 4/9/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\WeatherBeetle\WB.exe C:\Program Files\tools\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - Startup: WeatherBeetle.lnk = C:\Program Files\WeatherBeetle\WB.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdc...ad/tgctlcm.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\lvps0977e.dll O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\CJ\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-09-2005, 12:38 PM
|
#4 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
SORRY...please disregard previous post...C:\WINDOWS\system32\rlrpnl.exe keeps coming back. here is the log after startup:
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\Rtvscan.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 1:31:44 PM, on 4/9/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\WeatherBeetle\WB.exe C:\WINDOWS\system32\rlrpnl.exe C:\Program Files\tools\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rlrpnl.exe O4 - Startup: WeatherBeetle.lnk = C:\Program Files\WeatherBeetle\WB.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdc...ad/tgctlcm.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\g6220gfoe62c0.dll O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\CJ\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-09-2005, 11:04 PM
|
#5 (permalink) |
|
Analyst, Security Team
|
OK, this is the narrator infection. We'll need these logs:
Download and install CleanUp http://cleanup.stevengould.org/ Download KillBox http://www.atribune.org/downloads/KillBox.exe Download rkfiles http://skads.org/special/rkfiles.zip and unzip the contents to a new folder on your desktop. Download the remv3.zip at http://forums.skads.org/index.php?showtopic=80 (look for the attachment posted in that second reply). Make a new folder on the root drive C:\ and unzip remv3.zip files into it. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Run CleanUp program now and logoff. REBOOT TO SAFE MODE. These tools MUST be run in safe mode! Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt. Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt **Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t. Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-11-2005, 05:09 PM
|
#6 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
here are the new log files log1.txt and log.txt: (bad1.txt was empty)
:\Documents and Settings\CJ\Desktop PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------ C:\WINDOWS\system32\ams491.dat: UPX! C:\WINDOWS\system32\devil.dll: UPX! C:\WINDOWS\system32\ilu.dll: UPX! C:\WINDOWS\system32\ilut.dll: UPX! C:\WINDOWS\system32\mioengine.exe: UPX! C:\WINDOWS\system32\qyqav.dat: UPX! C:\WINDOWS\system32\rlrpnl.exe: UPX! C:\WINDOWS\system32\winup2date.dll: UPX! C:\WINDOWS\system32\wmconfig.cpl: UPX! C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213 C:\WINDOWS\system32\DivX.dll: PEC2 Files Found in all users startup Folder............ ------------------------ Files Found in all users windows Folder............ ------------------------ C:\WINDOWS\icont.exe: UPX! C:\WINDOWS\LAME.EXE: UPX! C:\WINDOWS\tsc.exe: UPX! C:\WINDOWS\vsapi32.dll: UPX!t4 Finished bye Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is A878-B96C Directory of C:\WINDOWS\system32 msi.dll Finished thanks! |
|
|
|
|
04-13-2005, 07:39 AM
|
#8 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
sorry...here is the analyzed log as well:
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\Rtvscan.exe c:\Program Files\PestPatrol\ppmemcheck.exe c:\Program Files\PestPatrol\cookiepatrol.exe c:\Program Files\PestPatrol\ppcontrol.exe O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:31:49 AM, on 4/13/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\WeatherBeetle\WB.exe C:\Program Files\tools\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - Startup: WeatherBeetle.lnk = C:\Program Files\WeatherBeetle\WB.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdc...ad/tgctlcm.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\irjql5151.dll O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\CJ\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-13-2005, 10:58 PM
|
#9 (permalink) |
|
Analyst, Security Team
|
You should not be running CWShredder from the temp folder. So move it out of there before we delete/empty that temp folder.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O20 - Winlogon Notify: WebCheck - C:\WINDOWS\system32\irjql5151.dll O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~1\CJ\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe (file missing) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINDOWS\system32\irjql5151.dll C:\WINDOWS\system32\ams491.dat C:\WINDOWS\system32\devil.dll C:\WINDOWS\system32\ilu.dll C:\WINDOWS\system32\ilut.dll C:\WINDOWS\system32\mioengine.exe C:\WINDOWS\system32\qyqav.dat C:\WINDOWS\system32\rlrpnl.exe C:\WINDOWS\system32\winup2date.dll C:\WINDOWS\system32\wmconfig.cpl C:\WINDOWS\icont.exe C:\WINDOWS\LAME.EXE - do you recognize this as a file for mp3 encoding? If not, delete it also. C:\WINDOWS\tsc.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Also post a new log for rkfiles and remv3.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-14-2005, 07:25 PM
|
#10 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
thanks.... new hijack log
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\Rtvscan.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:17:32 PM, on 4/14/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\WeatherBeetle\WB.exe C:\Program Files\tools\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref O4 - Startup: WeatherBeetle.lnk = C:\Program Files\WeatherBeetle\WB.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdc...ad/tgctlcm.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\ir8ol5l31.dll O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-14-2005, 10:40 PM
|
#11 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
.....and for rkfiles and remv3
Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is A878-B96C Directory of C:\WINDOWS\system32 msi.dll Finished Files Found................. ---------------------------------------- Files Not deleted................. ---------------------------------------- Merging registry entries ----------------------------------------------------------------- The Registry Entries Found... ----------------------------------------------------------------- Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting ----------------------------------------------------------------- Volume in drive C has no label. Volume Serial Number is A878-B96C Directory of C:\WINDOWS\system32 msi.dll Finished |
|
|
|
|
04-15-2005, 07:43 AM
|
#12 (permalink) |
|
Analyst, Security Team
|
OK, that infection is gone now. Just one more thing that needs to be removed. Give us these logs:
Right click on http://www.greyknight17.com/spy/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-15-2005, 01:50 PM
|
#13 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
thanks ...here is the compare and silent running logs:
* DLLCompare Log version() Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM32\azamla~1.dll Thu Apr 14 2005 8:02:24p ..S.R 233,411 227.94 K C:\WINDOWS\SYSTEM32\c8000i~1.dll Sat Apr 9 2005 1:26:50p ..S.R 233,341 227.87 K C:\WINDOWS\SYSTEM32\cawflt32.dll Thu Apr 14 2005 7:47:02p ..S.R 233,411 227.94 K C:\WINDOWS\SYSTEM32\cldproxy.dll Sat Apr 9 2005 1:04:26p ..S.R 233,107 227.64 K C:\WINDOWS\SYSTEM32\e0jmla~1.dll Tue Apr 5 2005 4:52:18p ..S.R 232,896 227.44 K C:\WINDOWS\SYSTEM32\en8ul1~1.dll Sun Apr 3 2005 9:46:42p ..S.R 234,877 229.37 K C:\WINDOWS\SYSTEM32\enn8l1~1.dll Fri Apr 1 2005 10:24:54a ..S.R 233,149 227.68 K C:\WINDOWS\SYSTEM32\ennul1~1.dll Fri Apr 1 2005 6:30:44p ..S.R 233,199 227.73 K C:\WINDOWS\SYSTEM32\enp6l1~1.dll Thu Apr 14 2005 8:53:52p ..S.R 233,490 228.02 K C:\WINDOWS\SYSTEM32\enpul1~1.dll Thu Apr 14 2005 8:49:58p ..S.R 233,490 228.02 K C:\WINDOWS\SYSTEM32\f00ola~1.dll Thu Apr 14 2005 11:34:22p ..S.R 233,490 228.02 K C:\WINDOWS\SYSTEM32\fp6003~1.dll Sat Apr 9 2005 2:07:56p ..S.R 233,411 227.94 K C:\WINDOWS\SYSTEM32\fp6m03~1.dll Fri Apr 1 2005 6:49:28p ..S.R 236,126 230.59 K C:\WINDOWS\SYSTEM32\gbmd5q~1.dll Sat Apr 9 2005 10:38:42a ..S.R 234,995 229.48 K C:\WINDOWS\SYSTEM32\h8l20i~1.dll Fri Apr 1 2005 6:15:28p ..S.R 236,201 230.66 K C:\WINDOWS\SYSTEM32\hr6u05~1.dll Sat Apr 9 2005 10:36:16a ..S.R 233,084 227.62 K C:\WINDOWS\SYSTEM32\hrr805~1.dll Sat Apr 9 2005 1:02:44p ..S.R 235,349 229.83 K C:\WINDOWS\SYSTEM32\ir84l5~1.dll Sat Apr 9 2005 2:03:56p ..S.R 233,333 227.86 K C:\WINDOWS\SYSTEM32\irp2l5~1.dll Sun Apr 3 2005 9:31:22p ..S.R 234,171 228.68 K C:\WINDOWS\SYSTEM32\kgdes.dll Sat Apr 9 2005 11:42:28a ..S.R 236,110 230.57 K C:\WINDOWS\SYSTEM32\l0r0la~1.dll Sun Apr 3 2005 7:17:52p ..S.R 235,963 230.43 K C:\WINDOWS\SYSTEM32\lv4q09~1.dll Tue Apr 5 2005 5:03:04p ..S.R 234,990 229.48 K C:\WINDOWS\SYSTEM32\lvp609~1.dll Sat Apr 9 2005 2:34:24p ..S.R 233,411 227.94 K C:\WINDOWS\SYSTEM32\mfhcp.dll Thu Apr 14 2005 8:52:12p ..S.R 233,490 228.02 K C:\WINDOWS\SYSTEM32\mwimusic.dll Fri Apr 8 2005 10:28:58p ..S.R 234,990 229.48 K C:\WINDOWS\SYSTEM32\p6p6lg~1.dll Fri Apr 1 2005 6:40:12p ..S.R 233,062 227.60 K C:\WINDOWS\SYSTEM32\tspi32.dll Wed Mar 30 2005 10:10:18a ..S.R 233,248 227.78 K C:\WINDOWS\SYSTEM32\xgob2res.dll Thu Apr 14 2005 8:48:58p ..S.R 233,490 228.02 K ________________________________________________ 1,373 items found: 1,373 files (28 H/S), 0 directories. Total of file sizes: 296,610,563 bytes 282.87 M Administrator Account = True --------------------End log--------------------- Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "PPMemCheck" = "c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data] "CookiePatrol" = "c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" ["Computer Associates International"] "WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"] "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data] "PestPatrol Control Center" = "c:\PROGRA~1\PESTPA~1\PPControl.exe" ["Computer Associates International"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{8D956DBD-F7C4-4A4A-AD0B-935DA7638873}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\fXultrep.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! MCD\DLLName = "C:\WINDOWS\system32\enpul1791.dll" [null data] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\CJ\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" Startup items in "CJ" & "All Users" startup folders: ---------------------------------------------------- C:\Documents and Settings\CJ\Start Menu\Programs\Startup "WeatherBeetle" -> shortcut to: "C:\Program Files\WeatherBeetle\WB.exe" [null data] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] DefWatch, DefWatch, "C:\PROGRA~1\NavNT\DefWatch.exe" ["Symantec Corporation"] iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PCTEL Speaker Phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."] Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\NavNT\Rtvscan.exe" ["Symantec Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- |
|
|
|
|
04-15-2005, 02:01 PM
|
#14 (permalink) |
|
Analyst, Security Team
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ and delete {8D956DBD-F7C4-4A4A-AD0B-935DA7638873} Next go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete MCD If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\SYSTEM32\azamla~1.dll C:\WINDOWS\SYSTEM32\c8000i~1.dll C:\WINDOWS\SYSTEM32\cawflt32.dll C:\WINDOWS\SYSTEM32\cldproxy.dll C:\WINDOWS\SYSTEM32\e0jmla~1.dll C:\WINDOWS\SYSTEM32\en8ul1~1.dll C:\WINDOWS\SYSTEM32\enn8l1~1.dll C:\WINDOWS\SYSTEM32\ennul1~1.dll C:\WINDOWS\SYSTEM32\enp6l1~1.dll C:\WINDOWS\SYSTEM32\enpul1~1.dll C:\WINDOWS\SYSTEM32\f00ola~1.dll C:\WINDOWS\SYSTEM32\fp6003~1.dll C:\WINDOWS\SYSTEM32\fp6m03~1.dll C:\WINDOWS\SYSTEM32\gbmd5q~1.dll C:\WINDOWS\SYSTEM32\h8l20i~1.dll C:\WINDOWS\SYSTEM32\hr6u05~1.dll C:\WINDOWS\SYSTEM32\hrr805~1.dll C:\WINDOWS\SYSTEM32\ir84l5~1.dll C:\WINDOWS\SYSTEM32\irp2l5~1.dll C:\WINDOWS\SYSTEM32\kgdes.dll C:\WINDOWS\SYSTEM32\l0r0la~1.dll C:\WINDOWS\SYSTEM32\lv4q09~1.dll C:\WINDOWS\SYSTEM32\lvp609~1.dll C:\WINDOWS\SYSTEM32\mfhcp.dll C:\WINDOWS\SYSTEM32\mwimusic.dll C:\WINDOWS\SYSTEM32\p6p6lg~1.dll C:\WINDOWS\SYSTEM32\tspi32.dll C:\WINDOWS\SYSTEM32\xgob2res.dll C:\WINDOWS\system32\fXultrep.dll C:\WINDOWS\system32\enpul1791.dll C:\WINDOWS\system32\ir8ol5l31.dll The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Restart and post a new HijackThis log along with DllCompare and Silent Runners.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-15-2005, 05:28 PM
|
#15 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
here are the new logs THANKS!!!!
* DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINDOWS\SYSTEM32\kgdes.dll Sat Apr 9 2005 11:42:28a ..S.R 236,110 230.57 K C:\WINDOWS\SYSTEM32\l0r0la~1.dll Sun Apr 3 2005 7:17:52p ..S.R 235,963 230.43 K ________________________________________________ 1,346 items found: 1,346 files (2 H/S), 0 directories. Total of file sizes: 290,295,861 bytes 276.85 M Administrator Account = True --------------------End log--------------------- "Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "PPMemCheck" = "c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data] "CookiePatrol" = "c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" ["Computer Associates International"] "WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"] "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data] "PestPatrol Control Center" = "c:\PROGRA~1\PESTPA~1\PPControl.exe" ["Computer Associates International"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{8D956DBD-F7C4-4A4A-AD0B-935DA7638873}" = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\fXultrep.dll" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! Control Panel\DLLName = "C:\WINDOWS\system32\f00olad31d0.dll" [file not found] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\CJ\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" Startup items in "CJ" & "All Users" startup folders: ---------------------------------------------------- C:\Documents and Settings\CJ\Start Menu\Programs\Startup "WeatherBeetle" -> shortcut to: "C:\Program Files\WeatherBeetle\WB.exe" [null data] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] DefWatch, DefWatch, "C:\PROGRA~1\NavNT\DefWatch.exe" ["Symantec Corporation"] iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PCTEL Speaker Phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."] Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\NavNT\Rtvscan.exe" ["Symantec Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\Rtvscan.exe O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 6:25:13 PM, on 4/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\WeatherBeetle\WB.exe C:\Program Files\tools\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref O4 - Startup: WeatherBeetle.lnk = C:\Program Files\WeatherBeetle\WB.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdc...ad/tgctlcm.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\f00olad31d0.dll (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-15-2005, 08:05 PM
|
#16 (permalink) |
|
Analyst, Security Team
|
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.
Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ and delete {8D956DBD-F7C4-4A4A-AD0B-935DA7638873} Next go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ and delete Control Panel If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINDOWS\SYSTEM32\kgdes.dll C:\WINDOWS\SYSTEM32\l0r0la~1.dll C:\WINDOWS\system32\fXultrep.dll C:\WINDOWS\system32\f00olad31d0.dll If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run the CleanUp program now and choose Yes when it asks if you want to log off. Restart and post a new HijackThis log along with DllCompare and Silent Runners.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-17-2005, 09:47 AM
|
#17 (permalink) |
|
Registered User
Join Date: Apr 2005
Posts: 11
OS: xp
|
thanks
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\PROGRA~1\NavNT\Rtvscan.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\NavNT\DefWatch.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:44:43 AM, on 4/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\WeatherBeetle\WB.exe C:\Program Files\tools\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.jsonline.com N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref N3 - Netscape 7: # Mozilla User Preferences // This is a generated file! user_pref("browser.activation.checkedNNFlag", true); user_pref("browser.bookmarks.added_static_root", true); user_pref("browser.chrome.site_icons", false); user_pref("browser.chrome.toolbar_tips", false); user_pref("browser.history.last_page_visited", "http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTEN5?SC=PP?HM=04544b40594b105052565047414671700a4f64511637520d5d525c5e470c37530d606a?LOC=H?TF=_NEW?ID=0001614096B0FB3B?UC=1?PS=9621?PI=44364?AP=1089?NA=1141?NC =9523"); user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); user_pref("browser.startup.homepage", "WWW.HOTMAIL.COM"); user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2"); user_pref("browser.tabs.forceHide", true); user_pref("browser.toolbars.showbutton.bookmarks", false); user_pref("browser.toolbars.showbutton.home", false); user_pref("browser.toolbars.showbutton.mynetscape", false); user_pref O4 - Startup: WeatherBeetle.lnk = C:\Program Files\WeatherBeetle\WB.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://usercenter.cox.net/rsuite/sdc...ad/tgctlcm.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\NavNT\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ O^E says: "There were no files found :)" ________________________________________________ 1,344 items found: 1,344 files, 0 directories. Total of file sizes: 289,823,788 bytes 276.39 M Administrator Account = True --------------------End log--------------------- Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "PPMemCheck" = "c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data] "CookiePatrol" = "c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" ["Computer Associates International"] "WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"] "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data] "PestPatrol Control Center" = "c:\PROGRA~1\PESTPA~1\PPControl.exe" ["Computer Associates International"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."] "gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS] "AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SmartFTP\smarthook.dll" ["SmartFTP"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\CJ\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp" Startup items in "CJ" & "All Users" startup folders: ---------------------------------------------------- C:\Documents and Settings\CJ\Start Menu\Programs\Startup "WeatherBeetle" -> shortcut to: "C:\Program Files\WeatherBeetle\WB.exe" [null data] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] DefWatch, DefWatch, "C:\PROGRA~1\NavNT\DefWatch.exe" ["Symantec Corporation"] iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PCTEL Speaker Phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."] Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\NavNT\Rtvscan.exe" ["Symantec Corporation"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- |
|
|
|
|
04-17-2005, 10:44 AM
|
#18 (permalink) |
|
Analyst, Security Team
|
Looks good now.
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and enable system restore by unchecking that same box. Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
| Thread Tools | |
|
|
