Jump to content


Photo
- - - - -

CWS Infection


  • Please log in to reply
70 replies to this topic

#21 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 10:51 AM

After running Trend Micro's scan, I came up with seven Trojans. It was able to delete all but one, which is claimed was in use, it was listed as follows:

TROJ NARRATOR.A CanNotAccess c:\windows\system32\lpiooq.dll


I'm going to run Norton just out of curiousity to see what comes up. I'm assuming that won't mess anything up. (If it does, then, erm, I'm an idiot).

#22 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 12 December 2004 - 11:06 AM

Use Killbox on the file

Copy and paste this into Killbox
c:\windows\system32\lpiooq.dll

Make sure you have all browser windows closed down before you hit the Kill button
and then reboot

Might be a good idea to run Norton's, might be best done in Safe mode

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#23 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 11:36 AM

Alright, KillBox used to delete that file.

I'm restarting in safe mode now to run Norton's.

I'll check back in when it's done.

#24 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 12 December 2004 - 11:42 AM

When your done can you post back Findit.bat log
Hijackthis log

This infection is fairly new, let's make sure we get it all
the last findit.bat file indicated that optimallayout registry string was still present

Let's see how your logs look later

#25 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 02:03 PM

Well, Norton popped up with 8 items that it couldn't remove, all of which appeared to be part of a piece of adware called SAHAgent.

They were as follows: lap_.dll, SAHAgent_.exe, SAHHtml_.exe, and SAHUninstall_.exe.

Four of the threats were these files found compressed within c:\windows\Downloaded Program Files\bunSetup.cab. The other four, the files themselves were found in the directory c:\windows\downloaded program files\

On to the requested logs:

Hijack This:

Logfile of HijackThis v1.98.2
Scan saved at 3:12:58 PM, on 12/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

And Findit.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:01 AM <DIR> Microsoft
5 File(s) 403,631 bytes
2 Dir(s) 54,755,123,200 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
12 File(s) 408,352 bytes
1 Dir(s) 54,755,119,104 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 54,755,119,104 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gprml3911.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
ewzpt.txt Mon Nov 15 2004 7:24:18a A.SH. 3,347 3.27 K
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
mvhkr.log Tue Nov 30 2004 1:54:30p A.SH. 7,305 7.13 K
tryrm.dat Thu Nov 11 2004 8:49:34a A.SH. 3,347 3.27 K
yfl8.cu6 Sun Dec 5 2004 11:55:28p ..SH. 512 0.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 403,631 bytes 394.17 K


#26 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 12 December 2004 - 02:34 PM

With Windows set to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Navigate to these files

C:\WINDOWS\System32\mvhkr.log
C:\WINDOWS\System32\ewzpt.txt
C:\WINDOWS\System32\tryrm.dat
C:\WINDOWS\System32\yfl8.cu6
C:\WINDOWS\System32\vkqrrc.exe

Let me know what info you can find on them, Right click on them and click properties---version
Do you know what there related too?
Can you possibly send them thru this online malware scan
http://virusscan.jotti.dhs.org/
Give that link time to load and then use the browse button to navigate to the file(s)
right click on them and Submit

Are they found bad?

Can you see this file
C:\\WINDOWS\system32\gprml3911.dll

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS

Name the file as Findfile.bat
Save it on the desktop, don't change the save as, leave as txt

dir C:\WINDOWS\System32\l?ass.exe /a h > files.txt
notepad files.txt


double click to run Findfile.bat and post the info back here

Also go into your Add/Remove programs and remove ShopatHome if it exists

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#27 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 03:26 PM

The 'Show hidden files" and the such were already set up.

ShopatHome isn't listed in the Add/Remove Programs.

I cannot see gprlm3911.dll or vkqrrc.exe


Here is the result of FindFile.bat:

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

08/23/2001 07:00 AM 11,776 lsass.exe
11/29/2004 09:03 AM 389,120 l?ass.exe
2 File(s) 400,896 bytes

Directory of C:\Documents and Settings\Owner\Desktop


I'm running the files other files through the website you linked to. It's just taking a while. I'll post the results as soon as they're known.

#28 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 03:37 PM

Hmm, all four files I ran through that site can back as 'OK'. (The fifth, vkqrrc.exe, I can't find, as I mentioned).

I can honestly say I have no idea what those files are relevant to, or what programs they might be related to.

The properties box also gives no useful information that I noticed.

#29 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 12 December 2004 - 04:16 PM

I can't find no info on those files

But try this
I want to ensure you did this
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Name the file as fixit.reg
Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]


Leave that for now

Open killbox and delete temp files

and then have it delete these files, just in case
C:\WINDOWS\System32\vkqrrc.exe

C:\WINDOWS\system32\gprml3911.dll

C:\WINDOWS\system32\drivers\etc\hosts


Restart your computer into safe mode

Find and delete this file
C:\WINDOWS\System32\l?ass.exe <--this one, DON'T delete anything else because it looks similiar

Also navigate to these files and right click on them and rename them for now
C:\WINDOWS\System32\mvhkr.log
C:\WINDOWS\System32\ewzpt.txt
C:\WINDOWS\System32\tryrm.dat
C:\WINDOWS\System32\yfl8.cu6

Example>>Rename yfl8.cu6>>>yfl8.old

Stay in safe mode
Double click on
fixit.reg and allow it to merge to the registry

Restart back into Normal Mode

Once back in Windows open up HOSTER that you downloaded earlier and let it create a new Hosts file and then Restore Original Hosts

You should try and visit Windows updates and get all Critical(High Priority) updates
to help keep your system secure>>Your way behind on Windows updates

Don't get SP2 or any recommended updates just get all others including IE SP1
Restart when prompted and then revisit to ensure you got them all
Remember, don't install Service Pack 2

Post back here a fresh hijackthis log afterwards and a new Findit.bat
I want to see what returns

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#30 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 12 December 2004 - 04:32 PM

Forgot to mention that the other Hijackther you had likes to delete some files on your computer
Can you navigate to
C:\Program Files\Spybot - Search & Destroy folder
Open it and let me know if you can find the
SDHelper.dll file

Could you also navigate to C:\WINDOWS\SYSTEM32 folder
and let me know if you can find Shell.dll file

Could you also post this info
Open Spybot>>click on HELP>>ABOUT
Let me know version no. and Latest detection update date

Open Ad-Aware>>click on DETAILS
Let me know Reference No. and Internal build

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#31 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 04:45 PM

Hrm.. I just visited Microsoft's website, and the only critical update that's showing up is SP2, so I think I'm up to date.

I wasn't able to find the "C:\WINDOWS\System32\l?ass.exe" file. The closest thing was 'lsass.exe', which I left alone (also, I notice that the lpiooq.dll file is back).

Here are the logs.

Hijack This:

Logfile of HijackThis v1.98.2
Scan saved at 5:54:45 PM, on 12/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe


and Findit.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/30/2004 01:54 PM 7,305 mvhkr.old
11/29/2004 09:03 AM 389,120 l?ass.exe
11/15/2004 07:24 AM 3,347 ewzpt.old
11/11/2004 08:49 AM 3,347 tryrm.old
09/02/2004 10:01 AM <DIR> Microsoft
5 File(s) 403,631 bytes
2 Dir(s) 54,750,347,264 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/30/2004 01:54 PM 7,305 mvhkr.old
11/29/2004 09:03 AM 389,120 l?ass.exe
11/15/2004 07:24 AM 3,347 ewzpt.old
11/11/2004 08:49 AM 3,347 tryrm.old
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
12 File(s) 408,352 bytes
1 Dir(s) 54,750,343,168 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 54,750,343,168 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
ewzpt.old Mon Nov 15 2004 7:24:18a A.SH. 3,347 3.27 K
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
mvhkr.old Tue Nov 30 2004 1:54:30p A.SH. 7,305 7.13 K
tryrm.old Thu Nov 11 2004 8:49:34a A.SH. 3,347 3.27 K
yfl8.old Sun Dec 5 2004 11:55:28p A.SH. 512 0.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 403,631 bytes 394.17 K


Weird that l?ass.exe keeps showing up in these logs... I can't seem to find it at all.

#32 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 04:49 PM

SDHelper.dll exists.

Shell32.dll exists, although Shell.dll does not.

Spybot - Version 1.3, Latest Detection Update 2004-12-02

AdAware:
Reference Number : SE1R21 03.12.2004
Internal build : 26

#33 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 12 December 2004 - 05:23 PM

Hmmm, I can see the file

You should be able to manually update to SP1--we have to patch your machine
http://www.microsoft...p1/default.mspx

But first:

Navigate to C:\WINDOWS\SYSTEM32\DLLCACHE
Open the folder and find Shell.dll
right click on it and copy it and paste it into the
C:\WINDOWS\SYSTEM32 folder

Download the Trial version of TrojanHunter from this link
http://www.trojanhun...m/trojanhunter/
This is good for 30 days

After installation you will have to manually update the Latest Ruleset
Go to this link
http://www.trojanhun...unter/updating/
Download the Latest Ruleset to desktop

Unzip it to your Trojan Hunter folder
Allow to overwrite if prompted
The default location should be C:\Program Files\TrojanHunter

Restart into safe mode and
Run a full system scan
Let it clean what it finds and then restart your computer back into Normal mode

then visit the link to update windows, restart when prompted

Post back the logs

Forgot to add, Ad-Aware has been updated to
Reference Number : SE1R22 13.12.2004
Internal build : 27
You may want to update, just in case close down Ad-Aware afterwards
Open it again and do another scan
Restart your computer if any Criticals are found and removed

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#34 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 07:09 PM

Crap. I tried to install Service Pack 1a, which managed to kill my mouse much like Service Pack 2 did. So I uninstalled it via the 'Add/Remove Program', and it looks like several of the previosly apparently removed problems have returned. I'm getting a bunch of pop-ups again, and the recycle bin has gone back to it's misbehaving ways. There's also a folder under the c: drive called '!Submit' with some of the files in it that should have been killed (like Guard.tmp), I don't know if this is actually part of Killbox or not. Additionally, things like Ad-Aware don't appear to be running on restart when they're requested to.

Ugh.

Anyways, here are the logs. I've included the DLL Compare log as well, since it's finding things again :(

Hijack This:

Logfile of HijackThis v1.98.2
Scan saved at 8:10:27 PM, on 12/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe


Findit.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 08:09 PM 223,055 r4r6le9s1h.dll
12/12/2004 08:07 PM 225,056 enlml1311.dll
12/12/2004 07:51 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:01 AM <DIR> Microsoft
4 File(s) 837,743 bytes
2 Dir(s) 51,790,114,816 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 07:51 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
9 File(s) 394,353 bytes
1 Dir(s) 51,790,114,816 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 51,790,110,720 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03436F64-12CC-486B-82B5-6E1D8717A291}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BITS]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enlml1311.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINDOWS\System32\ENLML1~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
enlml1~1.dll Sun Dec 12 2004 8:07:30p ..S.R 225,056 219.78 K
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
r4r6le~1.dll Sun Dec 12 2004 8:09:52p ..S.R 223,055 217.82 K
yfl8.old Sun Dec 5 2004 11:55:28p A.SH. 512 0.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 837,743 bytes 818.11 K


DLL Compare:

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\enlml1~1.dll Sun Dec 12 2004 8:07:30p ..S.R 225,056 219.78 K
C:\WINDOWS\SYSTEM32\r4r6le~1.dll Sun Dec 12 2004 8:09:52p ..S.R 223,055 217.82 K
________________________________________________

1,296 items found: 1,296 files (2 H/S), 0 directories.
Total of file sizes: 271,373,505 bytes 258.80 M

Administrator Account = True

--------------------End log---------------------

#35 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 12 December 2004 - 07:31 PM

Okay, I used KillBox to remove the two files that DLL Compare managed to find, and then used Hijack This to remove those three redirects, and things appear to be better than that last post would imply. Here are the HJT and Findit.bat logs, so you know what state things are in now.

HJT:

Logfile of HijackThis v1.98.2
Scan saved at 8:40:00 PM, on 12/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe


Findit.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 07:51 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:01 AM <DIR> Microsoft
2 File(s) 389,632 bytes
2 Dir(s) 51,788,726,272 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 07:51 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
9 File(s) 394,353 bytes
1 Dir(s) 51,788,726,272 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 51,788,722,176 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03436F64-12CC-486B-82B5-6E1D8717A291}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r4r6le9s1h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
yfl8.old Sun Dec 5 2004 11:55:28p A.SH. 512 0.50 K

2 items found: 2 files, 0 directories.
Total of file sizes: 389,632 bytes 380.50 K


#36 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 14 December 2004 - 11:29 PM

Download Goologic.zip

Unzip it and run the qoologic.bat wait for it to finish.
Post the text file found here c:\win.txt

Post also a new Hijackthis log and Find.bat log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#37 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 15 December 2004 - 12:19 AM

Hey again Guestolo, hope your week is going well.

Here are the results you asked for:

Win.txt:

C:\WINDOWS\system32\iasppn.dll: updates.qoologic.com
C:\WINDOWS\system32\lpiooq.dll: updates.qoologic.com
C:\WINDOWS\system32\lqxwwa.exe: updates.qoologic.com
C:\WINDOWS\system32\vkqrrc.exe: .aspack
C:\WINDOWS\system32\wvgbbk.dat: .aspack


Hijack This:

Logfile of HijackThis v1.98.2
Scan saved at 12:12:13 AM, on 12/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\TrojanHunter 4.0\THGuard.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe


And, Find.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 07:51 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:01 AM <DIR> Microsoft
2 File(s) 389,632 bytes
2 Dir(s) 53,032,591,360 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 07:51 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.old
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
9 File(s) 394,353 bytes
1 Dir(s) 53,032,591,360 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 53,032,587,264 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03436F64-12CC-486B-82B5-6E1D8717A291}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\r4r6le9s1h.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
yfl8.old Sun Dec 5 2004 11:55:28p A.SH. 512 0.50 K

2 items found: 2 files, 0 directories.
Total of file sizes: 389,632 bytes 380.50 K


Hope that new log helps.

#38 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 15 December 2004 - 01:03 AM

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS
Important>>Change the Save as Type to All Files.
Name the file as unhide.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS
Important>>Change the Save as Type to All Files.
Name the file as fixit.reg

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WindowsUpdate]


Open Hijackthis>>Config>>Misc tools>>Open Process Manager and Kill this process
C:\WINDOWS\System32\vkqrrc.exe

Double click on unhide.reg and Allow it to merge to the registry

Open Killbox and delete temp files

Delete these entries
Again
copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\system32\iasppn.dll

C:\WINDOWS\system32\lpiooq.dll

C:\WINDOWS\system32\lqxwwa.exe

C:\WINDOWS\System32\vkqrrc.exe

C:\WINDOWS\system32\r4r6le9s1h.dll

C:\WINDOWS\system32\wvgbbk.dat

C:\WINDOWS\System32\Yfl8.old


For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

Double click on fixit.reg and allow to merge to the registry

Open VX2 finder and and click on "Click to Find VX2.Betterinternet"
When it's done scanning click on any of the highlighted buttons on the right
Click 'Guardian.reg'.
Click 'User Agent'.
Click 'Restore Policy'.

Restart your computer one last time

Find and delete this file if it exists
C:\WINDOWS\System32\vkqrrc.exe <--file
C:\WINDOWS\System32\l?ass.exe <--file, exact name

Post back a fresh Hijackthis log---Find.bat log and Goologic log

Can you also try to update your version of Hijackthis, it's just had an update to Hijackthis 1.99
open Hijackthis>>Config>>Misc Tools>>Check for updates online

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#39 Masamune42

Masamune42

    Journeyman

  • Members
  • PipPip
  • 31 posts

Posted 16 December 2004 - 12:47 AM

Followed your steps, didn't see vkqrrc.exe or l?ass.exe in c:\windows\system32 at the end, but here are the logs:

Hijack This:

Logfile of HijackThis v1.99.0
Scan saved at 12:29:18 AM, on 12/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Findit.bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 07:51 PM <DIR> dllcache
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:01 AM <DIR> Microsoft
1 File(s) 389,120 bytes
2 Dir(s) 53,042,675,712 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/12/2004 07:51 PM <DIR> dllcache
11/29/2004 09:03 AM 389,120 l?ass.exe
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
8 File(s) 393,841 bytes
1 Dir(s) 53,042,675,712 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 53,042,671,616 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 389,120 bytes 380.00 K


And, finally:

C:\WINDOWS\system32\iasppn.dll: updates.qoologic.com
C:\WINDOWS\system32\lpiooq.dll: updates.qoologic.com
C:\WINDOWS\system32\lqxwwa.exe: updates.qoologic.com
C:\WINDOWS\system32\vkqrrc.exe: .aspack
C:\WINDOWS\system32\wvgbbk.dat: .aspack


Hmm.. I see vkqrrc.exe in the running process list, but I'm looking at c:\windows\system32 and I swear I can't see it in there...

#40 Guest_Guest_*

Guest_Guest_*
  • Guests

Posted 16 December 2004 - 11:35 PM

Sorry Masamune, not ignoring you, been busy and checking out a few things on this new nasty
Giving lots of people trouble and no Automatic fix as of yet
I thought we had it figured, but I don't think we're quite there yet

Can you open up Killbox and click About and let me know what version you have
If you don't have version 2.0.0.76

Can you redownload it from the link I supplied earlier, it's been updated

Could you also Download Process Explorer and Extract to a folder
Open the program
Highlight the process
C:\WINDOWS\System32\vkqrrc.exe

Then Click File in the menu bar>>>Save as
Save the file and post it back here

When you post back can I get a fresh hijackthis log and Findit log and Goologic log, thanks
Ensure you delete all other logs beforehand, just don't want to get confused with the wrong one

Could you also
Do an online Virus scan at Rav's
http://www.ravantivirus.com/scan/
When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and dat files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan

Then click the Scan my PC button

Let it completely finish scanning

Copy and Paste the results back here

Keep me updated, I'm searching for a good fix for this one, it's close to being 100%
Removable