TheTechGuide Forum

General Category => Tech Clinic => Topic started by: thirstee on December 10, 2004, 07:49:01 PM

Title: cws.bootconf
Post by: thirstee on December 10, 2004, 07:49:01 PM: OK, ive been reading the logs here and would like some help.. This stupid cws.bootconf wont go away and when I maximize my IE it stops 1" from the top. Other apps use full screen, but not IE. Well, heres the stuff people asked for in other posts!

Log from find.bat

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/02/2004 06:58a <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,704,399,872 bytes free
Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/07/1999 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 175,704,395,776 bytes free
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\n48o0el3ehq.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

Log from VX2 Finder

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
Internet Settings
sclgntfy
SensLogn
wzcnotif

Guardian Key--- is called:

User Agent String---
{0D47A9A6-8109-4488-B37A-840F2EA290B4}

Log from dllcompare

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\aksetupc.dll Fri Dec 10 2004 6:27:24p ..S.R 223,616 218.38 K
C:\WINNT\SYSTEM32\gp0ml3~1.dll Fri Dec 10 2004 6:25:12p ..S.R 223,232 218.00 K
C:\WINNT\SYSTEM32\n48o0e~1.dll Fri Dec 10 2004 7:46:10a ..S.R 223,616 218.38 K
________________________________________________

1,152 items found: 1,152 files (3 H/S), 0 directories.
Total of file sizes: 252,809,143 bytes 241.09 M

Administrator Account = True

--------------------End log---------------------

Log from Hijack this

Logfile of HijackThis v1.98.2
Scan saved at 6:57:46 PM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\winnt\system32\NOTEPAD.EXE
C:\downloads\hijackthis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe

ANy help would be appreciated!
Title: cws.bootconf
Post by: guestolo on December 11, 2004, 10:05:44 PM: Is that your whole hijackthis log? It looks like the bottom part is missing
If your not sure, after you scan and save log, click on Edit>>Select all and then copy and paste back here

Download this version of
Findit.zip (http://\"http://www.thatcomputerguy.us/downloads/finditnt2000xp.zip\")
Unzip it to the Desktop

Run the Find.bat
Let if finish the scan---even if you see File not found

Post back the log back here when it's done

Also post a new DLLCompare log and a new Hijackthis log

Don't try and restart until we have done a fix
Title: cws.bootconf
Post by: thirstee on December 12, 2004, 12:16:46 AM: New Find.bat Results

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
3 File(s) 396,770 bytes
1 Dir(s) 175,631,810,560 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,631,806,464 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
1 File(s) 224,359 bytes
0 Dir(s) 175,631,806,464 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
12/07/1999 06:00a 2,577 CONFIG.TMP
2 File(s) 226,936 bytes
0 Dir(s) 175,631,806,464 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\kt2ml7f11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\KT2ML7~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 418,733 bytes 408.92 K

New dllcompare info

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

1,150 items found: 1,150 files, 0 directories.
Total of file sizes: 252,240,749 bytes 240.55 M

Administrator Account = True

--------------------End log---------------------

New Hijackthis Log

Logfile of HijackThis v1.98.2
Scan saved at 11:24:09 PM, on 12/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Turbo Torrent\ttorrent.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe

and thats all there was for hijack this!

Any and all help is appreciated!
Title: cws.bootconf
Post by: guestolo on December 12, 2004, 12:58:48 AM: Try this
Download and save to Desktop VX2Finder (http://\"http://www.downloads.subratam.org/VX2Finder.exe\")
Double click to open it
Under Version ensure that
msg122
msg124
msg125
msg126
Are all checked then click on the "Click To Find VX2.BetterInternet"
When it's completed it's scan click the "Make Log"
Post back this log with a fresh Find.bat log
And DLLCompare log

Then we'll try some fixes

Can you also let me know if your Recycle Bin works
Create a dummy file on your desktop
Right click on the desktop
>>Select NEW>>Text Document
Try sending it to the recycle bin after you name it
Title: cws.bootconf
Post by: thirstee on December 12, 2004, 08:32:33 AM: VX2 Log

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
sclgntfy
SensLogn
URL
wzcnotif

Guardian Key--- is called:

Guardian Key--- :

User Agent String---
{0D47A9A6-8109-4488-B37A-840F2EA290B4}

Fresh Find.bat Log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
3 File(s) 396,770 bytes
1 Dir(s) 175,703,322,624 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,703,322,624 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
1 File(s) 224,359 bytes
0 Dir(s) 175,703,322,624 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:16p 224,359 guard.tmp
12/07/1999 06:00a 2,577 CONFIG.TMP
2 File(s) 226,936 bytes
0 Dir(s) 175,703,322,624 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\URL]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\kt2ml7f11.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\KT2ML7~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 418,733 bytes 408.92 K

Fresh dllcompare log

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

2,534 items found: 2,534 files, 0 directories.
Total of file sizes: 478,892,931 bytes 456.71 M

Administrator Account = True

--------------------End log---------------------

Recycle Bin Test

Does NOT end up in recycle bin
Title: cws.bootconf
Post by: guestolo on December 12, 2004, 12:31:19 PM: Let's try this
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS

Name the file as Findfile.bat
Don't run this yet

Quote
dir C:\WINNT\System32\?hkdsk.exe /a h > files.txt
notepad files.txt

Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip (http://\"http://www.downloads.subratam.org/KillBox.zip\")
Unzip the files to the folder of your choice.

Disconnect from the Internet completely
Double-click on Killbox.exe to run it

click on Tools->Delete Temp Files

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\\winnt\system32\kt2ml7f11.dll

C:\winnt\System32\guard.tmp

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

When it reboots
Do another scan with Hijackthis and put a check next to these entries if they exist

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

After you have ticked the above entries, close down all other open windows, including this one, leave Hijackthis open
Click FIX CHECKED
YES and exit hijackthis
Restart your computer one more time

Please post a new Findit.bat log and a new Hijack This log.
and Findfile.bat results

We'll worry about repairing the recycle bin next time
Title: cws.bootconf
Post by: Guest on December 12, 2004, 09:25:08 PM: Let me toss this in before it reboots yet again! I came home this afternoon and i saw my computer had rebooted on its own, so prolly lost all that was done so far... I got a ton of flash talk 1.2 atrtempted installs amongs abetterointernet or whatever that is.. I had to load this mozilla firefoxz in order to stay online long enuf to send this. I will send this and then do one with the newest info i got. I had to run pest patrol, adaware and spybot earlier in order to stay online... all cleared except several instances of cws stuff that i get error message when i try to delete it. ill send the new logs in a few minutes
thanks for understanding!
Title: cws.bootconf
Post by: thirstee on December 12, 2004, 09:25:59 PM: that was me above! /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: cws.bootconf
Post by: thirstee on December 12, 2004, 09:35:01 PM: Findit

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/12/2004 04:27p 222,914 n82u0if9e82.dll
12/12/2004 04:10p 226,259 nv0029dmg.dll
12/12/2004 04:08p 222,914 gpj4l31q1.dll
12/12/2004 03:59p 222,750 k480lelm1hqa.dll
12/12/2004 03:00p 224,359 lv6809jue.dll
12/12/2004 10:00a 224,359 wpvdmoe.dll
12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
9 File(s) 1,740,325 bytes
1 Dir(s) 175,603,798,016 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 175,603,793,920 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/07/1999 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 175,603,793,920 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\gpj4l31q1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\GPJ4L3~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
gpj4l3~1.dll Sun Dec 12 2004 4:08:10p ..S.R 222,914 217.69 K
k480le~1.dll Sun Dec 12 2004 3:59:46p ..S.R 222,750 217.53 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
lv6809~1.dll Sun Dec 12 2004 3:00:48p ..S.R 224,359 219.10 K
n82u0i~1.dll Sun Dec 12 2004 4:27:18p ..S.R 222,914 217.69 K
nv0029~1.dll Sun Dec 12 2004 4:10:10p ..S.R 226,259 220.95 K
wpvdmoe.dll Sun Dec 12 2004 10:00:42a ..S.R 224,359 219.10 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

11 items found: 11 files, 0 directories.
Total of file sizes: 1,762,288 bytes 1.68 M

Filefind

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\WINNT\System32

06/19/2003 11:05a 13,584 chkdsk.exe
11/12/2004 07:52a 385,024 ?hkdsk.exe
2 File(s) 398,608 bytes

Directory of C:\Documents and Settings\Lanny\Desktop

DLL Compare

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\gpj4l3~1.dll Sun Dec 12 2004 4:08:10p ..S.R 222,914 217.69 K
C:\WINNT\SYSTEM32\k480le~1.dll Sun Dec 12 2004 3:59:46p ..S.R 222,750 217.53 K
C:\WINNT\SYSTEM32\lv6809~1.dll Sun Dec 12 2004 3:00:48p ..S.R 224,359 219.10 K
C:\WINNT\SYSTEM32\n82u0i~1.dll Sun Dec 12 2004 4:27:18p ..S.R 222,914 217.69 K
C:\WINNT\SYSTEM32\nv0029~1.dll Sun Dec 12 2004 4:10:10p ..S.R 226,259 220.95 K
C:\WINNT\SYSTEM32\wpvdmoe.dll Sun Dec 12 2004 10:00:42a ..S.R 224,359 219.10 K
________________________________________________

1,154 items found: 1,154 files (6 H/S), 0 directories.
Total of file sizes: 253,135,268 bytes 241.41 M

Administrator Account = True

--------------------End log---------------------

Hijack This

Logfile of HijackThis v1.98.2
Scan saved at 8:44:02 PM, on 12/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\winnt\system32\cmd.exe
C:\winnt\system32\notepad.exe
C:\downloads\DllCompare.exe
C:\winnt\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe

ANythign else? Im sorry were starting over, but this darn thing is driving me nuts
Title: cws.bootconf
Post by: guestolo on December 12, 2004, 11:07:39 PM: Set Windows to Show Hidden Files and Folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS
Important>>Change the Save as Type to All Files.
Name the file as remove.reg
Don't run this yet

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Reinstall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=-

Open Killbox

click on Tools->Delete Temp Files

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\winnt\system32\gpj4l31q1.dll

C:\WINNT\SYSTEM32\k480le~1.dll

C:\WINNT\SYSTEM32\lv6809~1.dll

C:\WINNT\SYSTEM32\n82u0i~1.dl

C:\WINNT\SYSTEM32\nv0029~1.dll

C:\WINNT\SYSTEM32\wpvdmoe.dll

C:\WINDOWS\SYSTEM32\Guard.tmp

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

Restart your computer into Safe Mode, you can do this by tapping the F8 key on your keyboard when the system is booting up

Look for and delete this file if it exists
C:\winnt\System32\?hkdsk.exe <--file, with exact name, don't delete anything else because it looks similiar

Double click on remove.reg and let it merge to the registry

Open Hijackthis and put a check next to these entries
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com

After you have ticked the above, close out all other open windows,
Leave Hijackthis open and Click FIX CHECKED
YES and exit Hijackthis

Restart back into Normal mode

For your Recycle bin problem, try this
Start->Run, type cmd and hit Enter
At the prompt, type the following:

cd\ [hit enter] <--on the keyboard
cd Recycler [Enter]
Del Desktop.ini [Enter]

REBOOT and try deleting a test blank file

IF not

Go to a Command Prompt

At the prompt, type the following:

cd\ [hit enter]
cd Recycler [Enter]
attrib -h info*.* [Enter]
Del info*.* [enter]

Then test if it's fixed.

If not,

4.) go back to a command prompt and type:

cd\ [hit enter]
attrib -h -s c:\recycler [Enter]
del c:\recycler [enter]

Reboot and test again with blank file.

Post back with a fresh hijackthis log-----DllCompare log
Findit.bat results
Title: cws.bootconf
Post by: thirstee on December 13, 2004, 12:33:46 AM: OK, Update:
Recycle Bin option 3 worked. Had No Such File exists on the 1st 2 attempts.

AS I opened this page, i got a spotresults searcher page open at the same time. Here are the logs:
Hijack This

Logfile of HijackThis v1.98.2
Scan saved at 11:41:14 PM, on 12/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\rundll32.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\winnt\system32\winupdt.exe
C:\winnt\system32\RUNDLL32.exe
C:\winnt\system32\winupdt.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stcloader] C:\winnt\system32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\winnt\system32\winupdtl.exe
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe (http://\"http://www.2nd-thought.com/files/install007.exe\")

dllcompare log

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\bt549.dll Sun Dec 12 2004 11:37:04p ..S.R 223,706 218.46 K
C:\WINNT\SYSTEM32\lvj609~1.dll Sun Dec 12 2004 11:30:40p ..S.R 223,706 218.46 K
C:\WINNT\SYSTEM32\n8p40i~1.dll Sun Dec 12 2004 11:37:04p ..S.R 224,184 218.93 K
________________________________________________

1,153 items found: 1,153 files (3 H/S), 0 directories.
Total of file sizes: 252,574,413 bytes 240.87 M

Administrator Account = True

--------------------End log---------------------

Find.bat Log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/12/2004 11:37p 223,706 bt549.dll
12/12/2004 11:37p 224,184 n8p40i7qe8.dll
12/12/2004 11:30p 223,706 lvj6091se.dll
12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
6 File(s) 1,068,366 bytes
1 Dir(s) 173,197,762,560 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 173,197,762,560 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/07/1999 06:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 173,197,762,560 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{0D47A9A6-8109-4488-B37A-840F2EA290B4}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\lvj6091se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

C:\winnt\System32\BT549.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
bt549.dll Sun Dec 12 2004 11:37:04p ..S.R 223,706 218.46 K
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
lvj609~1.dll Sun Dec 12 2004 11:30:40p ..S.R 223,706 218.46 K
n8p40i~1.dll Sun Dec 12 2004 11:37:04p ..S.R 224,184 218.93 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

8 items found: 8 files, 0 directories.
Total of file sizes: 1,090,329 bytes 1.04 M
Title: cws.bootconf
Post by: guestolo on December 13, 2004, 01:07:49 AM: Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS
Important>>Change the Save as Type to All Files.
Name the file as remove.reg
Don't run this yet

Quote
REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony]

Open Killbox and click on Delete temp files

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINNT\SYSTEM32\bt549.dll

C:\WINNT\SYSTEM32\lvj609~1.dll

C:\WINNT\SYSTEM32\n8p40i~1.dll

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

Restart your computer into safe mode

Find and delete these files if they exist
C:\winnt\system32\stcloader.exe <--file
C:\winnt\system32\winupdtl.exe <--file

Do another scan with hijackthis and put a check next to these entries:

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - HKLM\..\Run: [stcloader] C:\winnt\system32\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\winnt\system32\winupdtl.exe

O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe (http://\"http://www.2nd-thought.com/files/install007.exe\")

After you ticked the above entries, close down all other windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Open VX2 finder and click the "Find VX2.BetterInternet"
On the right hand side click any of these that are highlighted

Click 'Guardian.reg'.
Click 'User Agent'.
Click 'Restore Policy'

Double click on remove.reg
And allow it to merge to the registry

Did you find this file
C:\winnt\System32\?hkdsk.exe <--exact name

What other .dll files do you see in your system32 folder created with the same day as this and file size as these
C:\WINNT\SYSTEM32\bt549.dll Sun Dec 12 2004 11:37:04p ..S.R 223,706 218.46 K
C:\WINNT\SYSTEM32\lvj609~1.dll Sun Dec 12 2004 11:30:40p ..S.R 223,706 218.46 K
C:\WINNT\SYSTEM32\n8p40i~1.dll Sun Dec 12 2004 11:37:04p ..S.R 224,184 218.93 K

Every restart will cause more to appear until the infection is taken care of

RESTART back into Normal mode and post back the above logs again
Title: cws.bootconf
Post by: bnetlegend on December 13, 2004, 03:09:38 AM: I got this same problem, exact same thing ,runddl32 keeps runing some program that makes guard.tmp , it has something to do with cool web search. i know the place i got it was www.torrentspy.com, and previous to that i got spyware from going to www.suprnova.org, its funy because these sites are file shareing sites and these idiot spyware people are trying to advertise to the wrong crowd. WE DONT PAY FOR [censored]
Title: cws.bootconf
Post by: thirstee on December 13, 2004, 08:50:55 AM: OK notes 1st.The 2 files in the same timeframe and the 218k size are: IGIresize.dll and Guard.tmp. I also noticed these files that didnt look good: idleui.dll (41k) and 2ndsrch.dll (68). They were the same day just smaller.
Also, when i did the killbox, on the 2 that wouldnt delete initially, i got an error as follows from killbox: "Pending file rename operation registry data has been removed by external process"

I did not find the file ?hkdsk.exe, only saw chkdsk.exe in that directory.

Here are the updated logs

Hijack this

Logfile of HijackThis v1.98.2
Scan saved at 7:55:40 AM, on 12/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\winnt\system32\nvsvc32.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\winnt\system32\svchost.exe
C:\winnt\Explorer.EXE
C:\winnt\system32\RUNDLL32.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\YAC\yac.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WATCHPNP_SAMSUNG] watchpnp.exe SAMSUNG
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\winnt\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\winnt\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: yac.lnk = C:\Program Files\YAC\yac.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

Find.bat log

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
3 File(s) 396,770 bytes
1 Dir(s) 173,053,349,888 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/11/2004 05:21p <DIR> dllcache
11/23/2004 06:43p 11,690 KGyGaAvL.sys
11/23/2004 06:38p 56 CED9F6D0F6.sys
11/12/2004 07:52a 385,024 ?hkdsk.exe
09/26/2004 08:00p <DIR> GroupPolicy
09/26/2004 07:56p 21,692 folder.htt
09/26/2004 07:56p 271 desktop.ini
5 File(s) 418,733 bytes
2 Dir(s) 173,053,349,888 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/13/2004 07:24a 223,706 guard.tmp
1 File(s) 223,706 bytes
0 Dir(s) 173,053,349,888 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is Primary
Volume Serial Number is 5DA6-51E0

Directory of C:\winnt\System32

12/13/2004 07:24a 223,706 guard.tmp
12/07/1999 06:00a 2,577 CONFIG.TMP
2 File(s) 226,283 bytes
0 Dir(s) 173,053,349,888 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OfficeUpdate]
"Asynchronous"=dword:00000000
"DllName"="C:\\winnt\\system32\\n8p40i7qe8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINNT\SYSTEM32\
ced9f6~1.sys Tue Nov 23 2004 6:38:46p ..SHR 56 0.05 K
desktop.ini Sun Sep 26 2004 7:56:32p ...H. 271 0.26 K
folder.htt Sun Sep 26 2004 7:56:32p ...H. 21,692 21.18 K
kgygaavl.sys Tue Nov 23 2004 6:43:46p A.SH. 11,690 11.41 K
hkdsk~1.exe Fri Nov 12 2004 7:52:22a ..SHR 385,024 376.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 418,733 bytes 408.92 K

DLL COmpare log

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"
________________________________________________

1,150 items found: 1,150 files, 0 directories.
Total of file sizes: 251,902,817 bytes 240.23 M

Administrator Account = True

--------------------End log---------------------

Thanks again for all your help!
Title: cws.bootconf
Post by: hary on December 13, 2004, 12:07:41 PM: I've got the same pest on my win2k. I followed the whole issue and decide to try something. It was successiful, so here what I did:
1.Disconnect pc from the net and reboot is safe mode ( I think it wasn't necessary).
2.Run regedit and saw which is the problematic dll:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
crypt32chain
cryptnet
cscdll
NavLogon
sclgntfy
SensLogn
wzcnotif
Office Update
It is the Office Update key infact - inside it ( But if I deleted it It was selfrestored to some other name like Add Paths,URL etc.).
I deleted the Office Update key.
It was a file named C:\WINNT\system32\nmrssk.dll ( If I deleted it , next time I logon it was another filename )

3. Run dllcompare
It found 4 more files like nmrssk.dll
4.Run killbox and add all of the files which dllcompare found to be deleted on the next boot.
5. Remove the content of C:\WINNT\system32\drivers\etc\hosts - all accept
127.0.0.1 localhost
6. Reboot
7. Run regedit and delete the new foreign key ( for me
crypt32chain
cryptnet
cscdll
NavLogon
sclgntfy
SensLogn
wzcnotif
was normal ) which it was probably created before restart.
Thats it! Now the system is clear, no popups no craches, no "dns not found".
Thank you guys your work helped me a lot /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: cws.bootconf
Post by: pattnet on December 18, 2004, 09:02:27 AM: THIS WORKED FOR ME (not too complicated):

Find your Windows XP Disk first.

Download and update Ad-aware se personal.

Do a complete scan and remove anything it finds

Scan again and note what it finds ON PAPER. Leave the program open.

Open the registry - go to HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify - inspect each item in the right pane and look for one (or more) containing the random alphanumeric DLL (mutates - my last one was hr6uo5j9e.dll). Delete this key.

Search the registry for other instances of this alphanumeric dll, guard.tmp and error32.dat - delete all references you may find. Leave the registry open.

THIS PART IS IMPORTANT FOR THE MALWARE NOT TO REINSTALL:

Don't shut down in the conventional way (start/turn off computer...)
Either unplug the computer or hold the on button in for 7 seconds to shut off.

Restart the computer with the Windows XP disk and go to the Recovery Console (Safe Mode with command prompt is not good enough - the malware will reinstall).

Find your Ad-aware list - delete any files listed under c:\windows\system32. There will be either 2 or 3: the random dll, error32.dat and maybe guard.tmp. Also, look for program kalvewg32.exe - if there, delete it.

Reboot the computer - run ad-aware, cw shredder and scan for viruses. The system should be clean.

www.pattnet.com