Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - jim4299

Pages: [1]

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 04:27:55 AM »

Hijackthis still crashes but CWShredder works fine, and finds nothing.

RegSearch does not find any reference to: xwlxxw.exe

I couldnt get the homescan to load (couldn't get it to recognize the netscape plugin) but i installed the other virus scan and removed 3 trojans - downloader.agent.3.D, dyfica.2.BA and 3.G.

Thank you,
Jim

Here are my Hijackthis, Find.bat, VX2, and ServiceFilter logs:

Logfile of HijackThis v1.98.2
Scan saved at 3:07:51 AM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\strings.exe
C:\WINDOWS\system32\find.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 3,882,991,616 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,882,983,424 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,882,967,040 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

Guardian Key--- :

User Agent String---

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Jan 4, 2005 3:09:07 AM

---> Begin Service Listing <---

Unknown Service # 1
Service Name: Pml Driver HPH11
Display Name: Pml Driver HPH11
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\hphipm11.exe
State: Running
Process ID: 1868
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{52886906-8a2d-4438-8ac3-9bce6f96ae08}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 83 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 4.987305 seconds.

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 02:54:38 AM »

Sounds good, maybe the trojan is keeping 1.99 from working? its odd nonetheless, i tried to create a startup log again and again just for fun with 1.99, the log just wont show the "enumerator" line you were looking for.

Once again, thanks, appreciate your help alot

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 02:47:43 AM »

I was using 1.99 for those last 2 startups, here is 1.98's startup list, this had the enumerating sub paths thing:

StartupList report, 1/4/2005, 12:44:20 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\james sosby\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
ftkfft.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
Narrator = C:\WINDOWS\system32\qrvqqr.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HPFECP06: \SystemRoot\System32\drivers\HPFECP06.SYS (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,947 bytes
Report generated in 0.080 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 02:36:00 AM »

My bad, i thought i did, here it is:

StartupList report, 1/4/2005, 12:33:43 AM
StartupList version: 1.52.2
Started from : C:\Program Files\hi\hi.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hi\hi.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
ftkfft.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
Narrator = C:\WINDOWS\system32\qrvqqr.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,878 bytes
Report generated in 0.020 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 02:31:06 AM »

Here it is:

StartupList report, 1/4/2005, 12:29:10 AM
StartupList version: 1.52.2
Started from : C:\Program Files\hi\hi.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hi\hi.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
ftkfft.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
Narrator = C:\WINDOWS\system32\qrvqqr.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,878 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 02:26:20 AM »

Hijack still crashes but i followed all procedures as described, i.e., uninstalled spy doctor, trojan guard, unplugged the internet. I just switched to firefox today but i still get thrown over to weird sites and maybe thats how the spyware gets back into the computer? Here are the 2 logs:

Thanks

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Logfile of HijackThis v1.98.2
Scan saved at 12:15:59 AM, on 1/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\qrvqqr.exe
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: ftkfft.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 3,124,903,936 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,124,895,744 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,124,879,360 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrn6055se.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 01:29:58 AM »

Following the procedure, there was a error that poped up in a msdos box for ftkfft.exe, but i accidently hit enter too quick to pick it up (oppsss). HiJack this still crashes so i had to use the old hijack (1.98) for the log. xwlxxw.exe still appeared and was deleted (again) by trojan guarder following bootup. Here are my logs:

Thanks again

Logfile of HijackThis v1.98.2
Scan saved at 11:18:18 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\qrvqqr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 11:15 PM 225,250 hrn6055se.dll
01/03/2005 10:10 PM 224,595 irp0l57m1.dll
01/03/2005 10:03 PM 224,405 hr8805lue.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
6 File(s) 1,347,989 bytes
2 Dir(s) 3,108,233,216 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,108,225,024 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,108,208,640 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irp0l57m1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
hr8805~1.dll Mon Jan 3 2005 10:03:18p ..S.R 224,405 219.14 K
irp0l5~1.dll Mon Jan 3 2005 10:10:08p ..S.R 224,595 219.33 K
hrn605~1.dll Mon Jan 3 2005 11:15:44p ..S.R 225,250 219.97 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,347,989 bytes 1.29 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\sbissb.dll: updates.qoologic.com
C:\WINDOWS\system32\ioliio.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\qrvqqr.exe: .aspack
C:\WINDOWS\system32\gbwggb.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 12:24:04 AM »

Oh ya, the remv log:

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msde.dll
msi.dll
Finished

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 04, 2005, 12:22:25 AM »

My computer crashed so unfortunitely, i'm forced to restart here and there (just crashed after the procedure). Also, i continually tell Trojan Guarder to delete the trojan xwlxxw.exe, so i'm not sure how that affects the logs. Hijack 1.99 still will not record a log so i had to use the older version. Here are my new hijack 1.98 and findit logs:

Thanks again,
Jim

Hijack 1.98

Logfile of HijackThis v1.98.2
Scan saved at 10:14:02 PM, on 1/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\qrvqqr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\strings.exe
C:\WINDOWS\system32\find.exe
C:\Documents and Settings\james sosby\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
;<local>
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://yahoo.com"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\james sosby\Application Data\Mozilla\Profiles\default\ydkigfci.slt\prefs.js)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: earch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Reboot.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
O4 - Global Startup: strings.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://webmail.hudoig.gov/iNotes.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://webmail.hudoig.gov/iNotes6.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2065CC5C-481B-43F5-9DA0-03EF102B08A4}: NameServer = 192.168.1.1

Findit

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 10:10 PM 224,595 irp0l57m1.dll
01/03/2005 10:03 PM 224,405 hr8805lue.dll
01/03/2005 09:55 PM 223,520 h40q0ed5eh0.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
6 File(s) 1,346,259 bytes
2 Dir(s) 3,106,783,232 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,106,775,040 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,106,758,656 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Explorer]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h40q0ed5eh0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
hr8805~1.dll Mon Jan 3 2005 10:03:18p ..S.R 224,405 219.14 K
irp0l5~1.dll Mon Jan 3 2005 10:10:08p ..S.R 224,595 219.33 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K
h40q0e~1.dll Mon Jan 3 2005 9:55:34p ..S.R 223,520 218.28 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,346,259 bytes 1.28 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\sbissb.dll: updates.qoologic.com
C:\WINDOWS\system32\ioliio.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\qrvqqr.exe: .aspack
C:\WINDOWS\system32\gbwggb.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ftkfft.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 03, 2005, 11:54:35 PM »

Below is the new Findit log from the updated version. I will follow your instructions and post the 2 logs, hijack and findit, following the procedure.

Thanks again,
Jim

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\tmp\Find It NT-2K-XP

------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 09:35 PM 223,016 j6j6lg1s16.dll
01/03/2005 06:01 PM 224,867 hr4u05h9e.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
5 File(s) 1,121,622 bytes
2 Dir(s) 3,107,962,880 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,107,954,688 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,107,938,304 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr4u05h9e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
hr4u05~1.dll Mon Jan 3 2005 6:01:10p ..S.R 224,867 219.59 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
j6j6lg~1.dll Mon Jan 3 2005 9:35:36p ..S.R 223,016 217.79 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,121,622 bytes 1.07 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\system32\sbissb.dll: updates.qoologic.com
C:\WINDOWS\system32\ioliio.dll: updates.qoologic.com

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\system32\qrvqqr.exe: .aspack
C:\WINDOWS\system32\gbwggb.dat: .aspack
C:\WINDOWS\system32\ntdll.dll: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\ftkfft.exe: .aspack

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

« on: January 03, 2005, 09:52:26 PM »

Ok, I did everything except for 1 task: run hijackthis 1.99 to generate a log. It crashed everytime i tried to (tried a million times, even in safe mode).

There was only one .dat modified since the problem, it is called gbwggb.dat.

Here is a list of the logs in the order requested:

CompareDLL:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
C:\WINDOWS\SYSTEM32\lv6409~1.dll Mon Jan 3 2005 5:31:26p ..S.R 222,991 217.76 K
C:\WINDOWS\SYSTEM32\hr4u05~1.dll Mon Jan 3 2005 6:01:10p ..S.R 224,867 219.59 K
C:\WINDOWS\SYSTEM32\k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
C:\WINDOWS\SYSTEM32\m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K
________________________________________________

1,278 items found: 1,278 files (5 H/S), 0 directories.
Total of file sizes: 260,314,012 bytes 248.25 M

Administrator Account = True

--------------------End log---------------------

FINDIT

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

01/03/2005 06:01 PM 224,867 hr4u05h9e.dll
01/03/2005 05:31 PM 222,991 lv6409jqe.dll
01/03/2005 06:10 AM 222,848 m082lalo1dqc.dll
01/03/2005 05:59 AM 225,714 g4lm0e31eh.dll
01/03/2005 04:59 AM 225,177 k0080adued080.dll
01/28/2004 11:17 PM <DIR> Microsoft
01/28/2004 09:30 PM <DIR> dllcache
5 File(s) 1,121,597 bytes
2 Dir(s) 3,106,258,944 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/06/2004 09:15 AM 4,212 zllictbl.dat
01/28/2004 10:03 PM 488 logonui.exe.manifest
01/28/2004 10:03 PM 488 WindowsLogon.manifest
01/28/2004 10:03 PM 749 wuaucpl.cpl.manifest
01/28/2004 10:03 PM 749 cdplayer.exe.manifest
01/28/2004 10:03 PM 749 sapi.cpl.manifest
01/28/2004 10:03 PM 749 nwc.cpl.manifest
01/28/2004 10:03 PM 749 ncpa.cpl.manifest
01/28/2004 09:30 PM <DIR> dllcache
8 File(s) 8,933 bytes
1 Dir(s) 3,106,250,752 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is 38DC-D16F

Directory of C:\WINDOWS\System32

08/23/2001 12:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 3,106,234,368 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{3A171278-78A9-44E8-84BC-B0A3289C0D08}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Unimodem]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv6409jqe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\LV6409~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
g4lm0e~1.dll Mon Jan 3 2005 5:59:58a ..S.R 225,714 220.42 K
lv6409~1.dll Mon Jan 3 2005 5:31:26p ..S.R 222,991 217.76 K
hr4u05~1.dll Mon Jan 3 2005 6:01:10p ..S.R 224,867 219.59 K
k0080a~1.dll Mon Jan 3 2005 4:59:16a ..S.R 225,177 219.90 K
m082la~1.dll Mon Jan 3 2005 6:10:52a ..S.R 222,848 217.63 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1,121,597 bytes 1.07 M

RUNKEY2 - All.txt

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Narrator"="C:\\WINDOWS\\system32\\qrvqqr.exe"
"VBundleOuterDL"="C:\\Program Files\\VBouncer\\BundleOuter.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

REGEDIT4

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu]
@="{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido]
@="{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\stmsst]
@="{60fd7959-bcfe-455c-a70c-81a47420dbc0}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR]
@="{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu]
@="{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ewido]
@="{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\stmsst]
@="{60fd7959-bcfe-455c-a70c-81a47420dbc0}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@="{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

HijackThis Startup -LOG

StartupList report, 1/3/2005, 7:39:19 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hi\Hijackthis.exe.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\qrvqqr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Notepad.exe
C:\Program Files\hi\Hijackthis.exe.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\james sosby\Start Menu\Programs\Startup]
Reboot.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
Trojan Guarder Gold Version.lnk = C:\Program Files\Trojan Guarder Gold Version\Trojan Guarder.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
InCD = C:\Program Files\Ahead\InCD\InCD.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINDOWS\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
Omnipage = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
VBundleOuterDL = C:\Program Files\VBouncer\BundleOuter.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = Notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job
HP Usg Login.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[iNotes Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes.dll
CODEBASE = https://webmail.hudoig.gov/iNotes.cab

[iNotes6 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\inotes6.dll
CODEBASE = https://webmail.hudoig.gov/iNotes6.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8014.8156018518

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HPFECP06: \SystemRoot\System32\drivers\HPFECP06.SYS (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 10,692 bytes
Report generated in 0.400 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Not included : Hijackthis log (1.99 crashes)

Thanks again,
Jim

PS I should be back in 2 hours or so, if you are unable to post anything tonight, i understand, i will be around all day tomorrow working on this. Thanks again

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - jim4299

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap

Tech Clinic / cws.bootconf, cws.svchost32, and other trojan crap