|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
04-19-2005, 03:15 PM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 22
OS: WinXP
|
Got quite a mess today - KRC HJT Analyzed
Something decided to extract on my work computer today. Things like websearch and Pacisoft and lots of popups. I ran adaware, then HJT, then KRC HJT analyzer. Thanks for your help. The log is below:
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 2  03 PM, on 4/19/2005Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\system32\vyac\citgfoou.exe C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE C:\WINNT\system32\rhgypu\emvcojr.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe c:\winnt\system32\ruremq.exe C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe C:\WINNT\system32\PDesk\PDesk.exe C:\WINNT\system32\wintask.exe C:\winnt\system32\uonglf.exe C:\WINNT\system32\uermh\twkcc.exe C:\WINNT\system32\uojgauq\euvgen.exe C:\WINNT\system32\wblejrc\muphfglh.exe C:\Program Files\Media Access\MediaAccK.exe C:\winnt\system32\packager.exe C:\Program Files\Media Access\MediaAccess.exe C:\WINNT\system32\drwtsn32.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygene.ne.ge.com/portal/mypag....asp?UserID=2& R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Energy R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.geps.ge.com:80;https=http-proxy.geps.ge.com:80;ftp=http-proxy.geps.ge.com:80;gopher=http-proxy.geps.ge.com:80 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js) O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu O4 - HKLM\..\Run: [jpegav] C:\WINNT\Driver Cache\jpegav.exe O4 - HKLM\..\Run: [dlls] C:\WINNT\Speech\dlls.exe O4 - HKLM\..\Run: [cmdutil] C:\WINNT\Cursors\cmdutil.exe O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [MGA_CD_Install] E:\mgasetup.exe /No_Welcome /Lang:English O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefyy32.exe O4 - HKLM\..\Run: [uonglf] c:\winnt\system32\uonglf.exe O4 - HKLM\..\Run: [twkcc] C:\WINNT\system32\uermh\twkcc.exe O4 - HKLM\..\Run: [citgfoou] C:\WINNT\system32\vyac\citgfoou.exe O4 - HKLM\..\Run: [emvcojr] C:\WINNT\system32\rhgypu\emvcojr.exe O4 - HKLM\..\Run: [euvgen] C:\WINNT\system32\uojgauq\euvgen.exe O4 - HKLM\..\Run: [muphfglh] C:\WINNT\system32\wblejrc\muphfglh.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [gynbbsd] c:\winnt\system32\ruremq.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_01) - http://thor.ne.ge.com:7001/ematrix/a...1_01-win-i.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ne.ge.com End of KRC HijackThis Analyzer Log. ==================================================================== |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
04-19-2005, 04:57 PM
|
#2 (permalink) |
|
Analyst, Security Team
|
You have an outdated version of HijackThis. Download the newest version at http://www.greyknight17.com/spy/HijackThis.exe and run it.
Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it yet. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINNT\system32\vyac\citgfoou.exe C:\WINNT\system32\rhgypu\emvcojr.exe c:\winnt\system32\ruremq.exe C:\WINNT\system32\wintask.exe C:\winnt\system32\uonglf.exe C:\WINNT\system32\uermh\twkcc.exe C:\WINNT\system32\uojgauq\euvgen.exe C:\WINNT\system32\wblejrc\muphfglh.exe C:\Program Files\Media Access\MediaAccK.exe C:\Program Files\Media Access\MediaAccess.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Media Access Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - C:\WINNT\Pynix.dll O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll O4 - HKLM\..\Run: [jpegav] C:\WINNT\Driver Cache\jpegav.exe O4 - HKLM\..\Run: [dlls] C:\WINNT\Speech\dlls.exe O4 - HKLM\..\Run: [cmdutil] C:\WINNT\Cursors\cmdutil.exe O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\system32\wintask.exe O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\elitefyy32.exe O4 - HKLM\..\Run: [uonglf] c:\winnt\system32\uonglf.exe O4 - HKLM\..\Run: [twkcc] C:\WINNT\system32\uermh\twkcc.exe O4 - HKLM\..\Run: [citgfoou] C:\WINNT\system32\vyac\citgfoou.exe O4 - HKLM\..\Run: [emvcojr] C:\WINNT\system32\rhgypu\emvcojr.exe O4 - HKLM\..\Run: [euvgen] C:\WINNT\system32\uojgauq\euvgen.exe O4 - HKLM\..\Run: [muphfglh] C:\WINNT\system32\wblejrc\muphfglh.exe O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe O4 - HKLM\..\Run: [gynbbsd] c:\winnt\system32\ruremq.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\Media Access\ C:\WINNT\Bolger.dll C:\WINNT\Cursors\cmdutil.exe C:\WINNT\Driver Cache\jpegav.exe C:\WINNT\Pynix.dll C:\WINNT\Speech\dlls.exe C:\winnt\system32\elitefyy32.exe C:\WINNT\system32\exp.exe C:\WINNT\system32\rhgypu\ c:\winnt\system32\ruremq.exe C:\WINNT\system32\uermh\ C:\WINNT\system32\uojgauq\ c:\winnt\system32\uonglf.exe C:\winnt\system32\uonglf.exe C:\WINNT\system32\vyac\ C:\WINNT\system32\wblejrc\ C:\WINNT\system32\wintask.exe Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. There are some entries/programs that I can't find enough information on (probably company related programs). Do you know what these are for: O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-20-2005, 09:16 AM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 22
OS: WinXP
|
Followup KRC Log
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 8:14:08 AM, on 4/20/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe C:\WINNT\system32\PDesk\PDesk.exe c:\winnt\system32\rsodrrv.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygene.ne.ge.com/portal/mypag....asp?UserID=2& R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Energy R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.geps.ge.com:80;https=http-proxy.geps.ge.com:80;ftp=http-proxy.geps.ge.com:80;gopher=http-proxy.geps.ge.com:80 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js) O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [MGA_CD_Install] E:\mgasetup.exe /No_Welcome /Lang:English O4 - HKLM\..\Run: [amrbiuo] c:\winnt\system32\rsodrrv.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_01) - http://thor.ne.ge.com:7001/ematrix/a...1_01-win-i.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ne.ge.com O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\INSIGHT\TOOLS\Aiclient.EXE O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe End of KRC HijackThis Analyzer Log. ==================================================================== |
|
|
|
|
04-20-2005, 02:33 PM
|
#4 (permalink) |
|
Analyst, Security Team
|
You didn't answer my question previously? Is it safe for me to assume that you knew what all 4 of those entries were for?
Right click on http://www.silentrunners.org/Silent%20Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post. Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-21-2005, 10:22 AM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 22
OS: WinXP
|
Sorry I didn't answer your question. Yes those 4 entries are work-related items.
Here's the Silent Runner log: "Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"] "CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"] "AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"] "Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS] "TempRemove" = ""C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"" [null data] "vptray" = "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" ["Symantec Corporation"] "MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."] "RUNCIS" = "C:\Program Files\1E\CIS\\RUNCIS.EXE" [MS] "SMS Application Launcher" = "C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE" [MS] "Asset Insight SUM" = "C:\INSIGHT\TOOLS\AISOFTMN.EXE -B" [null data] "VerifyStartMenu" = "RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu" [MS] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "MMTray" = "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" ["Musicmatch, Inc."] "Matrox Powerdesk" = "C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch" ["Matrox Graphics Inc."] "MGA_CD_Install" = "E:\mgasetup.exe /No_Welcome /Lang:English" [file not found] "amrbiuo" = "c:\winnt\system32\rsodrrv.exe" ["TODO: <Company name>"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind" -> {CLSID}\InProcServer32\(Default) = "C:\O2KSTD\PFiles\MSOffice\Office\1033\UNBIND.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\O2KSTD\PFiles\MSOffice\Office\OLKFSTUB.DLL" [MS] "{7F287F67-C629-11D0-8745-0000E8C9F421}" = "PKZIP Archive" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHELL.dll" ["PKWARE, Inc."] "{7414E744-CEFF-11D1-BBE3-0000E8C9F421}" = "PKContextMenuHandler Class" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHEX.dll" ["PKWARE, Inc."] "{80CED3A7-7FED-11D3-9C3A-00104BD14091}" = "PKZIP Folder Shortcut" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHEX.dll" ["PKWARE, Inc."] "{12490005-D2D5-11D1-BBE4-0000E8C9F421}" = "PKZIP Archive Manager" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKZC_AT.dll" ["PKWARE, Inc."] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.10\HostExplorer\Ftp\heshell.dll" ["Hummingbird Ltd."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" [null data] Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINNT\system32\ssflwbox.scr" [MS] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is enabled. HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "D:\My Documents\My Pictures\100_0539.JPG" Startup items in "NEV90175" & "All Users" startup folders: ---------------------------------------------------------- D:\Documents and Settings\All Users\Start Menu\Programs\Startup "Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."] "Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS] "Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Asset Insight Client, AICLIENT, "C:\INSIGHT\TOOLS\Aiclient.EXE" [null data] DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"] Hummingbird Inetd, HCLInetd, "C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe" ["Hummingbird Ltd."] Hummingbird Jconfig Daemon, Jconfigd, "C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe" ["Hummingbird Ltd."] MGABGEXE, MGABGEXE, "C:\WINNT\system32\mgabg.exe" ["Matrox Graphics Inc."] Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe" [null data] SAVRoam, SAVRoam, "C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe" ["symantec"] SMS Client Service, clisvc, "C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE" [MS] Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"] TCP/IP Print Server, LPDSVC, "C:\WINNT\System32\tcpsvcs.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- ---------------------------------------------------------------------- And here's the locate.com log: * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ O^E says: "There were no files found :)" ________________________________________________ 1,191 items found: 1,191 files, 0 directories. Total of file sizes: 213,528,762 bytes 203.64 M Administrator Account = True --------------------End log--------------------- |
|
|
|
|
04-21-2005, 10:37 AM
|
#6 (permalink) |
|
Analyst, Security Team
|
OK, I see only one more item that needs removal.
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Don't run it yet. Boot into Safe Mode. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete amrbiuo If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): c:\winnt\system32\rsodrrv.exe If you have Windows XP, go to C:\Windows\Prefetch and delete everything inside that Prefetch folder. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Restart and post a new log for HijackThis and Silent Runners.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-21-2005, 11:42 AM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 22
OS: WinXP
|
In safe mode, the amrbiuo file didn't show up in regedit. Here's the updated KRC HJT log and Silent Runner. In the midst of all this, I appear to have lost the driver for my media handler. Any ideas on that one?
==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 10:38:21 AM, on 4/21/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe c:\winnt\system32\ujbegy.exe C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe C:\WINNT\system32\PDesk\PDesk.exe C:\Program Files\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mygene.ne.ge.com/portal/mypag....asp?UserID=2& R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by GE Energy R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http-proxy.geps.ge.com:80;https=http-proxy.geps.ge.com:80;ftp=http-proxy.geps.ge.com:80;gopher=http-proxy.geps.ge.com:80 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js) O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" O4 - HKLM\..\Run: [RUNCIS] C:\Program Files\1E\CIS\\RUNCIS.EXE O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE O4 - HKLM\..\Run: [Asset Insight SUM] C:\INSIGHT\TOOLS\AISOFTMN.EXE -B O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [MGA_CD_Install] E:\mgasetup.exe /No_Welcome /Lang:English O4 - HKLM\..\Run: [oaksoyc] c:\winnt\system32\ujbegy.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O16 - DPF: {CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_01) - http://thor.ne.ge.com:7001/ematrix/a...1_01-win-i.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ne.ge.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ne.ge.com O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\INSIGHT\TOOLS\Aiclient.EXE O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe End of KRC HijackThis Analyzer Log. ==================================================================== "Silent Runners.vbs", revision 35, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Synchronization Manager" = "mobsync.exe /logon" [MS] "IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"] "CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"] "AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"] "Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS] "TempRemove" = ""C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"" [null data] "vptray" = "C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe" ["Symantec Corporation"] "MULTIMEDIA KEYBOARD" = "C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."] "RUNCIS" = "C:\Program Files\1E\CIS\\RUNCIS.EXE" [MS] "SMS Application Launcher" = "C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE" [MS] "Asset Insight SUM" = "C:\INSIGHT\TOOLS\AISOFTMN.EXE -B" [null data] "VerifyStartMenu" = "RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu" [MS] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "MMTray" = "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" ["Musicmatch, Inc."] "Matrox Powerdesk" = "C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch" ["Matrox Graphics Inc."] "MGA_CD_Install" = "E:\mgasetup.exe /No_Welcome /Lang:English" [file not found] "oaksoyc" = "c:\winnt\system32\ujbegy.exe" ["TODO: <Company name>"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind" -> {CLSID}\InProcServer32\(Default) = "C:\O2KSTD\PFiles\MSOffice\Office\1033\UNBIND.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\O2KSTD\PFiles\MSOffice\Office\OLKFSTUB.DLL" [MS] "{7F287F67-C629-11D0-8745-0000E8C9F421}" = "PKZIP Archive" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHELL.dll" ["PKWARE, Inc."] "{7414E744-CEFF-11D1-BBE3-0000E8C9F421}" = "PKContextMenuHandler Class" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHEX.dll" ["PKWARE, Inc."] "{80CED3A7-7FED-11D3-9C3A-00104BD14091}" = "PKZIP Folder Shortcut" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKSHEX.dll" ["PKWARE, Inc."] "{12490005-D2D5-11D1-BBE4-0000E8C9F421}" = "PKZIP Archive Manager" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PKWARE\PKZIPE\PKZC_AT.dll" ["PKWARE, Inc."] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{DB8DC413-C0AA-11D0-9545-080009B1C2F3}" = "Hummingbird Neighborhood" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Hummingbird\Connectivity\7.10\HostExplorer\Ftp\heshell.dll" ["Hummingbird Ltd."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" [null data] Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINNT\system32\ssflwbox.scr" [MS] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is enabled. HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "D:\My Documents\My Pictures\100_0539.JPG" Startup items in "NEV90175" & "All Users" startup folders: ---------------------------------------------------------- D:\Documents and Settings\All Users\Start Menu\Programs\Startup "Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."] "Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS] "Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Asset Insight Client, AICLIENT, "C:\INSIGHT\TOOLS\Aiclient.EXE" [null data] DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"] Hummingbird Inetd, HCLInetd, "C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe" ["Hummingbird Ltd."] Hummingbird Jconfig Daemon, Jconfigd, "C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe" ["Hummingbird Ltd."] MGABGEXE, MGABGEXE, "C:\WINNT\system32\mgabg.exe" ["Matrox Graphics Inc."] Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe" [null data] SAVRoam, SAVRoam, "C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe" ["symantec"] SMS Client Service, clisvc, "C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE" [MS] Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"] TCP/IP Print Server, LPDSVC, "C:\WINNT\System32\tcpsvcs.exe" [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"] ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- |
|
|
|
|
04-21-2005, 12:27 PM
|
#8 (permalink) |
|
Analyst, Security Team
|
What is that? Is that for Windows Media Player? OK, we'll hold off on that problem until we get this figured out first. That should be the least of our worries here.
Please give us all these logs also. I think it's hiding again. Make sure not to restart/shutdown your computer either. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Do not run it yet. Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the 'Generate StartupList log' button. Post that log in your next post. Download FindQoologic-Narrator.zip at http://forums.net-integration.net/in...post&id=134981 and save it to your Desktop. Create a new folder on your desktop (right click and select New->Folder) and call it FindQoologic. Now unzip the file contents of that zip file into that folder. Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text file opens and post that in your next reply. Download DllCompare http://www.greyknight17.com/spy/DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare. Download 'Find It NT-2K-XP' at http://www.greyknight17.com/spy/Find...20NT-2K-XP.zip for Windows NT/2000/XP. For those with Windows 98/ME, get FindIt9xME at http://www.greyknight17.com/spy/FindIt9xME.zip instead. Once downloaded, unzip it. Open up the folder and double click on the FindNarrator.bat (Windows NT/2K/XP users) or the FindIt9xMe.bat (for Windows 98/ME users) file. Let it run for a while. This will generate a log file. Please post the entire contents of the log file here. Post all of the logs in your next post. We need all of them to get a fix for this infection.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
04-26-2005, 02:06 PM
|
#9 (permalink) |
|
Registered User
Join Date: Aug 2004
Posts: 22
OS: WinXP
|
I was able to reload the sound driver, so ignore that. I'm in a networking setup and we've been having problems the past week. I don't know if that's having impacts on these logs.
Startup list: StartupList report, 4/26/2005, 12:50:47 PM StartupList version: 1.52.2 Started from : C:\Program Files\HJT\HijackThis.EXE Detected: Windows 2000 SP3 (WinNT 5.00.2195) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\INSIGHT\TOOLS\Aiclient.EXE C:\INSIGHT\TOOLS\AICR.EXE C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\hjavaw.exe C:\WINNT\System32\tcpsvcs.exe C:\WINNT\system32\mgabg.exe C:\Program Files\JavaSoft\JRE\1.3.1\bin\javaw.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\regsvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE c:\winnt\system32\ujbegy.exe C:\WINNT\System32\hkcmd.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE C:\INSIGHT\TOOLS\AISOFTMN.EXE C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\WINNT\system32\PDesk\PDesk.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\O2KSTD\PFiles\MSOffice\Office\OUTLOOK.EXE C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE C:\NETMANAG.32\TELNET.EXE C:\Program Files\Real\RealPlayer\realplay.exe C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe C:\WINNT\system32\NOTEPAD.EXE C:\NETMANAG.32\TELNET.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\O2KSTD\PFiles\MSOffice\Office\EXCEL.EXE C:\O2KSTD\PFiles\MSOffice\Office\WINWORD.EXE C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe C:\Program Files\Common Files\Adobe\Web\AOM.exe C:\Program Files\HJT\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [D:\Documents and Settings\NEV90175\Start Menu\Programs\Startup] *No files* Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [D:\Documents and Settings\All Users\Start Menu\Programs\Startup] Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synchronization Manager = mobsync.exe /logon IgfxTray = C:\WINNT\System32\igfxtray.exe HotKeysCmds = C:\WINNT\System32\hkcmd.exe CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp TempRemove = "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" vptray = C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe MULTIMEDIA KEYBOARD = C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe RUNCIS = C:\Program Files\1E\CIS\\RUNCIS.EXE SMS Application Launcher = C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE Asset Insight SUM = C:\INSIGHT\TOOLS\AISOFTMN.EXE -B VerifyStartMenu = RunDLL32 C:\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot MMTray = C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe Matrox Powerdesk = C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch MGA_CD_Install = E:\mgasetup.exe /No_Welcome /Lang:English oaksoyc = c:\winnt\system32\ujbegy.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce MigrateMMDrivers = rundll32.exe mmsys.cpl,mmseRunOnce -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run [OptionalComponents] *No values found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\scrfile\shell\open\command (Default) = "%1" /S -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINNT\System32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINNT\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load= HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINNT\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINNT\system32\ssflwbox.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINNT\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINNT\Explorer\Explorer.exe: not present C:\WINNT\System\Explorer.exe: not present C:\WINNT\System32\Explorer.exe: not present C:\WINNT\Command\Explorer.exe: not present C:\WINNT\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINNT - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: *No BHO's found* -------------------------------------------------- Enumerating Task Scheduler jobs: *No jobs found* -------------------------------------------------- Enumerating Download Program Files: [DirectAnimation Java Classes] CODEBASE = file://C:\WINNT\Java\classes\dajava.cab OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd [Microsoft XML Parser for Java] CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd [Java Plug-in 1.3.1_01] InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1\bin\npjava131_01.dll CODEBASE = http://java.sun.com/products/plugin/...131_01-win.cab [Java Plug-in 1.3.1_01] InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1\bin\npjava131_01.dll CODEBASE = http://thor.ne.ge.com:7001/ematrix/a...1_01-win-i.exe [Shockwave Flash Object] InProcServer32 = C:\WINNT\system32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINNT\System32\rnr20.dll NameSpace #2: C:\WINNT\System32\winrnr.dll Protocol #1: C:\WINNT\system32\msafd.dll Protocol #2: C:\WINNT\system32\msafd.dll Protocol #3: C:\WINNT\system32\msafd.dll Protocol #4: C:\WINNT\system32\rsvpsp.dll Protocol #5: C:\WINNT\system32\rsvpsp.dll Protocol #6: C:\WINNT\system32\msafd.dll Protocol #7: C:\WINNT\system32\msafd.dll Protocol #8: C:\WINNT\system32\msafd.dll Protocol #9: C:\WINNT\system32\msafd.dll Protocol #10: C:\WINNT\system32\msafd.dll Protocol #11: C:\WINNT\system32\msafd.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system) aeaudio: system32\drivers\aeaudio.sys (manual start) AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Asset Insight Client: C:\INSIGHT\TOOLS\Aiclient.EXE (autostart) AINM Packet Capture Protocol: system32\DRIVERS\ainmcapt.sys (manual start) Alerter: %SystemRoot%\System32\services.exe (manual start) Application Management: %SystemRoot%\system32\services.exe (manual start) ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start) RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start) Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start) Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start) Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k BITSgroup (manual start) Computer Browser: %SystemRoot%\System32\services.exe (disabled) Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start) CD-ROM Driver: System32\DRIVERS\cdrom.sys (system) Indexing Service: C:\WINNT\System32\cisvc.exe (manual start) citgfoouvyac: C:\WINNT\system32\vyac\citgfoou.exe (disabled) ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start) SMS Client Service: C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE (autostart) DefWatch: C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (autostart) DHCP Client: %SystemRoot%\System32\services.exe (autostart) Disk Driver: System32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Logical Disk Manager Driver: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart) Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\System32\services.exe (autostart) Intel(R) PRO/1000 Adapter Driver: System32\DRIVERS\e1000nt5.sys (manual start) emvcojrrhgypu: C:\WINNT\system32\rhgypu\emvcojr.exe (disabled) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start) Fax Service: %systemroot%\system32\faxsvc.exe (manual start) Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start) Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start) Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system) G400DH: system32\DRIVERS\g400dhm.sys (manual start) Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start) Hummingbird Inetd: C:\WINNT\system32\Hummingbird\Connectivity\7.10\Inetd\inetd32.exe (autostart) i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system) ialm: System32\DRIVERS\ialmnt5.sys (manual start) IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start) IPSEC driver: System32\DRIVERS\ipsec.sys (manual start) IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start) PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system) Hummingbird Jconfig Daemon: C:\WINNT\system32\Hummingbird\Connectivity\7.10\Jconfig\jconfigdnt.exe (autostart) Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Server: %SystemRoot%\System32\services.exe (autostart) Workstation: %SystemRoot%\System32\services.exe (autostart) TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart) TCP/IP Print Server: %SystemRoot%\System32\tcpsvcs.exe (autostart) Messenger: %SystemRoot%\System32\services.exe (disabled) mgabg: \??\C:\WINNT\system32\drivers\mgabg.sys (manual start) MGABGEXE: %SystemRoot%\system32\mgabg.exe (autostart) NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start) Mouse Class Driver: System32\DRIVERS\mouclass.sys (system) BDA MPE Filter: System32\DRIVERS\MPE.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINNT\system32\msdtc.exe (manual start) Multimedia Keyboard Filter Driver: System32\DRIVERS\msikbd2k.sys (system) Windows Installer: C:\WINNT\system32\msiexec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start) NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start) NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start) NAVAPEL: \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart) NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050422.017\NAVENG.sys (manual start) NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050422.017\NAVEX15.sys (manual start) Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start) Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: System32\DRIVERS\netbios.sys (system) NetBios over Tcpip: System32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (manual start) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start) NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start) Net Logon: %SystemRoot%\System32\lsass.exe (autostart) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Netropa NHK Server: C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (autostart) Symantec AntiVirus Client: C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (autostart) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start) Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start) Parallel class driver: System32\DRIVERS\parallel.sys (manual start) Parallel port driver: System32\DRIVERS\parport.sys (system) PCI Bus Driver: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart) WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start) Protected Storage: %SystemRoot%\system32\services.exe (autostart) Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start) Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Direct Parallel: System32\DRIVERS\raspti.sys (manual start) Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system) Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart) Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) SAVRoam: C:\PROGRA~1\SYMANT~1\SYMANT~1\savroam.exe (autostart) Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart) RunAs Service: %SystemRoot%\system32\services.exe (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start) Serial port driver: System32\DRIVERS\serial.sys (system) Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start) SMS Hardware Inventory Agent Service: C:\WINNT\MS\SMS\clicomp\hinv\hinv32.exe (manual start) smwdm: system32\drivers\smwdm.sys (manual start) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) Srv: System32\DRIVERS\srv.sys (manual start) BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start) System Startup Service : C:\WINNT\svcproc.exe (autostart) Software Bus Driver: System32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start) Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system) Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart) Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start) Microcode Update Driver: System32\DRIVERS\update.sys (manual start) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start) Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start) Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start) USB 2.0 Root Hub Support: system32\DRIVERS\usbhub20.sys (manual start) USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start) Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start) UtilNT: \??\C:\WINNT\system32\drivers\UtilNT.sys (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) Windows Time: %SystemRoot%\System32\services.exe (autostart) Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart) Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start) World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start) Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart) Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start) Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: *Registry value not found* -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll WebCheck: C:\WINNT\System32\webcheck.dll SysTray: stobject.dll -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *Registry key not found* -------------------------------------------------- End of report, 29,226 bytes Report generated in 0.219 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only --------------------------------------------------------------------- ****************************************************** --------------------------------------------------------------------- Qoologic log: The dos prompt contained: "Invalid search path 'reg' is not recognized as an internal or external command, operable program or batch file." That said, here's the log: PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»» (fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9 Global Startup: D:\Documents and Settings\All Users\Start Menu\Programs\Startup . .. Acrobat Assistant.lnk Microsoft Find Fast.lnk Office Startup.lnk User Startup: D:\Documents and Settings\NEV90175\Start Menu\Programs\Startup . .. »»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» "Find activesetup", version1, launched at: 12:52 Operating System: Windows 2000 ------------------------------------------------------------------------ ******************************************************** ------------------------------------------------------------------------ DllCompare log: * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ O^E says: "There were no files found :)" ________________________________________________ 1,191 items found: 1,191 files, 0 directories. Total of file sizes: 213,528,762 bytes 203.64 M Administrator Account = True --------------------End log--------------------- -------------------------------------------------------------------- ***************************************************** -------------------------------------------------------------------- As far as extracting FindIt, I got 3 files: find.bat, locate.com, and strings.exe. The log below represents the dos log from find.bat. A log file was not generated: Please disregard any "File Not Found" messages, they are a normal part of the search process. File Not Found Beginning Strings.exe search...this portion of the search can take several minutes, please allow it to run until the log appears. The system cannot find the path specified. |
|
|
|
