Author Topic: CWS Infection (Read 10076 times)

Masamune42 · « **on:** December 07, 2004, 10:53:08 PM »

Hi folks, I'm new around here, and I was wondering if I could get some help. I've got an issue with those CWS files that some other people here have reported dealing with. I can't seem to get them off my system.

SpyBot reports them as
CWS.Bootconf
CWS.Loadbat
CWS.Msconfd
CWS.Oslogo
CWS.Tapicfg
CWS.Xmlmimefilter

Same problem as others have reported. Not able to remove them through normal means. CWS.bootconf reappears instantly after CWS Shredder theoretically kills it. I've tried to follow through other threads here and on other forums that have dealt with this, but to no avail. Hopefully someone here can give me a hand.

I'm running a computer with Windows XP SP1 (SP2 makes my mouse not work, so that stays far away). I've got SpyBot, Ad-Aware, HijackThis, CWS Shredder, Kill2me, VX2finder, and KillBox installed. I'll post the Hijack This log in a bit. Please, I'm desperate to get this cleared up. If there's any other information I should post, let me know. Thanks in advance to anyone who helps!

Logfile of HijackThis v1.97.7
Scan saved at 11:02:44 PM, on 12/7/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab

I know it's a little short, but that's all of it. There are some things in there (the O1's for example) that come back on reboot. Any advice?

guestolo · « **Reply #1 on:** December 08, 2004, 12:17:13 AM »

Sorry Masamune42, I just popped in to see that you have a new nasty infection

Let's get some tools to identify the hijacker

I also need you to disable Spybot's TeaTimer and Spyware Guard until we are done
I may not see your response until tomorrow, but do what you can

Open Spybot>>Click Mode>>Advanced Mode>>Tools>>System Startup
Uncheck
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
and
C:\Program Files\SpywareGuard\sgmain.exe

Restart your computer afterwards to ensure there not running

Download a few tools please
Download Findit.zip
Unzip the contents to your desktop
Double click on Find.bat, a new text document should open
Copy and Paste the Whole contents back here
After that close out the text document and hit a key on your keyboard to exit find.bat

Download and save to desktop VX2 Finder (126)
Open VX2 Finder and press the "Click to Find VX2.BetterInternet
Press the "Make log"
Copy and paste the entire contents of the log back here

Can you Download DLLCompare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

We need the above tools to help identify the hijacker and then we can go from there

Could you also delete your copy of Hijackthis and download the newest version
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT

Now you will have C:\HJT

Download Hijackthis from HERE or HERE
Save it to that new folder

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important

If you can post back all those logs I'll have a chance to look at them tomorrow

If you post them back tomorrow sometime, try not restarting your computer again until we have applied a fix, this may cause some files to be added for removal

Masamune42 · « **Reply #2 on:** December 08, 2004, 11:29:15 PM »

Hi Guestolo, I really appreciate your attempt to help. Thanks for your time.
I made the changes to my system you told me to. Here are the log files you asked for:

FindIt:

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 08:46 PM 56,320 xciqe.dll
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/12/2004 02:14 AM 7,305 ipmyy.dat
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
15 File(s) 501,673 bytes
1 Dir(s) 54,067,716,096 bytes free
Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 54,067,712,000 bytes free
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ShellScrap]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mvl2l93o1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

VX2 Finder:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
ShellScrap
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{03436F64-12CC-486B-82B5-6E1D8717A291}

Now, I might be doing something wrong, but CompareDLL doesn't seem to be
working. When I hit 'Run Locate.com' I get the following message titled "16
bit MS-DOS Subsystem" that says "C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications.
Choose 'Close' to terminate the application." That strikes me as bad. Am I doing something wrong here?

And here's the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 11:36:38 PM, on 12/8/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab

I'll try not to restart the computer until tomorrow night, but it seems to
have developed a fun tendency to reboot itself randomly. So we'll just hope
it behaves. Thank you.

Masamune42 · « **Reply #3 on:** December 08, 2004, 11:31:38 PM »

Double Post. Sorry.

guestolo · « **Reply #4 on:** December 08, 2004, 11:32:24 PM »

Just checked in and saw your reply, can I please see the DllCompare log too, thanks

guestolo · « **Reply #5 on:** December 08, 2004, 11:51:36 PM »

Just reread what you posted about DLLCompare
Try this from Microsoft to fix the files
http://support.microsoft.com/default.aspx?...kb;en-us;324767

guestolo · « **Reply #6 on:** December 09, 2004, 12:10:18 AM »

If you can't possibly get DllCompare to run
Could you download this version of Findit.Zip
Again, extract to desktop
Double click on Find.bat, a new text document should open---Give this time to complete It's scan, even if you see File not found
Copy and Paste the Whole contents back here

I prefer to see this version of Findit.zip with the Dllcompare, but do what you can

Masamune42 · « **Reply #7 on:** December 09, 2004, 07:22:50 PM »

Ahh... excellent, the fix you linked me to appears to have worked perfectly.

Here's the log from CompareDLL:

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\azau0g~1.dll Wed Dec 8 2004 11:10:54p ..S.R 223,958 218.71 K
C:\WINDOWS\SYSTEM32\en0ml1~1.dll Tue Dec 7 2004 9:02:06p ..S.R 224,333 219.07 K
C:\WINDOWS\SYSTEM32\en6ml1~1.dll Wed Dec 8 2004 11:20:36p ..S.R 222,686 217.46 K
C:\WINDOWS\SYSTEM32\gprml3~1.dll Wed Dec 8 2004 11:28:06p ..S.R 225,118 219.84 K
C:\WINDOWS\SYSTEM32\mvl2l9~1.dll Wed Dec 8 2004 11:17:36p ..S.R 223,925 218.68 K
C:\WINDOWS\SYSTEM32\xciqe.dll Mon Nov 15 2004 8:46:02p A.SH. 56,320 55.00 K
________________________________________________

1,302 items found: 1,302 files (6 H/S), 0 directories.
Total of file sizes: 265,303,622 bytes 253.01 M

Administrator Account = True

--------------------End log---------------------

guestolo · « **Reply #8 on:** December 10, 2004, 12:04:49 AM »

Sorry for the delay, been busy

Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip
Unzip the files to the folder of your choice.

Disconnect from the Internet completely
Double-click on Killbox.exe to run it

click on Tools->Delete Temp Files

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM32\azau0g~.dll

C:\WINDOWS\SYSTEM32\en0ml1~1.dll

C:\WINDOWS\SYSTEM32\en6ml1~1.dll

C:\WINDOWS\SYSTEM32\gprml3~1.dll

C:\WINDOWS\SYSTEM32\mvl2l9~1.dll

C:\WINDOWS\SYSTEM32\Guard.tmp

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

When it reboots
Do another scan with Hijackthis and put a check next to these entries
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O15 - Trusted Zone: *.frame.crazywinnings.com[/b]

After you have ticked the above entries, close down all other open windows, including this one, leave Hijackthis open
Click FIX CHECKED
YES and exit hijackthis
Restart your computer one more time

Please post a new DllCompare log and a new Hijack This log.

Could you also post a new Findit.bat that I requested in my last post, thanks

Masamune42 · « **Reply #9 on:** December 10, 2004, 07:07:15 PM »

Alright, well, looking at the HJT log, we might be making some progress here, although that Trusted Site problem is still there. Anyways, here are the logs...

DLL Compare:

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\xciqe.dll Mon Nov 15 2004 8:46:02p A.SH. 56,320 55.00 K
________________________________________________

1,297 items found: 1,297 files (1 H/S), 0 directories.
Total of file sizes: 264,183,602 bytes 251.94 M

Administrator Account = True

--------------------End log---------------------

Hijack This:

Logfile of HijackThis v1.98.2
Scan saved at 7:11:53 PM, on 12/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DllCompare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab

And finally, the new Findit.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 08:46 PM 56,320 xciqe.dll
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/12/2004 02:14 AM 7,305 ipmyy.dat
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:01 AM <DIR> Microsoft
8 File(s) 496,952 bytes
2 Dir(s) 54,772,707,328 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 08:46 PM 56,320 xciqe.dll
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/12/2004 02:14 AM 7,305 ipmyy.dat
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
15 File(s) 501,673 bytes
1 Dir(s) 54,772,707,328 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 54,772,707,328 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03436F64-12CC-486B-82B5-6E1D8717A291}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gprml3911.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
appbj.exe Sat Nov 27 2004 6:14:38a A.SH. 29,696 29.00 K
ewzpt.txt Mon Nov 15 2004 7:24:18a A.SH. 3,347 3.27 K
ipmyy.dat Fri Nov 12 2004 2:14:40a A.SH. 7,305 7.13 K
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
mvhkr.log Tue Nov 30 2004 1:54:30p A.SH. 7,305 7.13 K
tryrm.dat Thu Nov 11 2004 8:49:34a A.SH. 3,347 3.27 K
xciqe.dll Mon Nov 15 2004 8:46:02p A.SH. 56,320 55.00 K
yfl8.cu6 Sun Dec 5 2004 11:55:28p ..SH. 512 0.50 K

8 items found: 8 files, 0 directories.
Total of file sizes: 496,952 bytes 485.30 K

Again, thanks for all to the help to this point.

guestolo · « **Reply #10 on:** December 11, 2004, 09:29:40 PM »

I'm going to stick with this until we're done now, I have some time on my hands

Download and save to Desktop LSP FIX
http://www.cexx.org/lspfix.htm
Don't run this yet

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad, click FILE>>SAVE AS
Important>>Change the Save as Type to All Files.
Name the file as RemoveTrusted.reg
Save this file on the desktop, don't run it yet, this should help remove the 015 entry

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains][-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

We haven't completely gotten rid of this
The hijacker may have also corrupted your recycle bin
Right click the desktop and make a blank text file and try sending it to the recycle bin and let me know if it's working----Does the file show up there?

Use killbox again and
click on Tools->Delete Temp Files

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM32\xciqe.dll

C:\\WINDOWS\system32\gprml3911.dll

C:\WINDOWS\System32\vkqrrc.exe

C:\WINDOWS\SYSTEM32\Guard.tmp

For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

When it reboots

Double click on RemoveTrusted.reg and allow it to merge to the registry

Open VX2 finder and click on "Click to Find VX2.Betterinternet"
When it's done scanning click on any of the highlighted buttons on the right
Click 'Guardian.reg'.
Click 'User Agent'.
Click 'Restore Policy'.

Do another scan with Hijackthis and put a check next to these entries

O15 - Trusted Zone: *.frame.crazywinnings.com

Let's fix the next ones too, may have been set by a Spyware protection software, you can enable again later if needed
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After you ticked the above entries, close out all other open windows including this one, click FIX CHECKED

Open LSP fix
Disconnect from the Internet--Double click to run Lsp fix
Check "I know what I'm doing".
Then select all instances of calsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish

Restart your computer

Post back a fresh hijackthis log, Dllcompare log and Findit log

Don't restart afterwards and I'll make sure I check back in as soon as I can

guestolo · « **Reply #11 on:** December 11, 2004, 09:41:29 PM »

Hi again, can you post back with this version of FindIt.bat
It's been updated again, a few tweaks and extended date range
Post the log from this tool, thanks

Removed link

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />

Masamune42 · « **Reply #12 on:** December 11, 2004, 11:21:16 PM »

Hi, I've just started on the latest instructions you left, including downloading the newest version on Findit.bat, but the link you provided is linking to SWI Forums. I registered with them and tried again, but I'm getting a message that reads "Sorry, but you do not have permission to use this feature. If you are not logged in, you may do so using the form below if available"

And I am logged in. Am I doing something wrong here?

guestolo · « **Reply #13 on:** December 11, 2004, 11:32:29 PM »

Very Sorry, Forgot you had to be signed up to the forum to get that link

Let me get it from another site
Right click on Findit.Zip and
Copy the Shortcut and paste it into the IE address bar and hit GO
Findit.Zip <--I removed link
try it from there and let me know how you make out

Masamune42 · « **Reply #14 on:** December 11, 2004, 11:52:34 PM »

Alright, more progress. Wonderful.

A couple of things to note, not sure how relevant some of them are.
First, I think you're right with your suspicion about the recycle bin, files just seem to be ceasing to exist, as opposed to actually going to the bin (and I did check the properties, it's not set to auto-delete anything that goes there). So I suspect that's a relevant issue. Glad you noticed that.
Secondly, the line "O15 - Trusted Zone: *.frame.crazywinnings.com" was missing from Hijack This, apparently that got removed somewhere along the lines, and I messed up posting a log file or something. Sorry about that.
Last, in VX2Finder, the option 'Guardian.reg' was grayed out and couldn't be clicked at any point.

Anyways, here are the resulting logs:

Hijack This:

Logfile of HijackThis v1.98.2
Scan saved at 11:54:56 PM, on 12/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\vkqrrc.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab

Compare DLL:

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,296 items found: 1,296 files, 0 directories.
Total of file sizes: 264,127,282 bytes 251.89 M

Administrator Account = True

--------------------End log---------------------

I'm guessing that's a good sign =)

Finally, the log from the new Findit program:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/12/2004 02:14 AM 7,305 ipmyy.dat
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:01 AM <DIR> Microsoft
7 File(s) 440,632 bytes
2 Dir(s) 54,777,151,488 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/12/2004 02:14 AM 7,305 ipmyy.dat
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
14 File(s) 445,353 bytes
1 Dir(s) 54,777,143,296 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 54,777,143,296 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gprml3911.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
appbj.exe Sat Nov 27 2004 6:14:38a A.SH. 29,696 29.00 K
ewzpt.txt Mon Nov 15 2004 7:24:18a A.SH. 3,347 3.27 K
ipmyy.dat Fri Nov 12 2004 2:14:40a A.SH. 7,305 7.13 K
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
mvhkr.log Tue Nov 30 2004 1:54:30p A.SH. 7,305 7.13 K
tryrm.dat Thu Nov 11 2004 8:49:34a A.SH. 3,347 3.27 K
yfl8.cu6 Sun Dec 5 2004 11:55:28p ..SH. 512 0.50 K

7 items found: 7 files, 0 directories.
Total of file sizes: 440,632 bytes 430.30 K

guestolo · « **Reply #15 on:** December 12, 2004, 12:41:36 AM »

You may have another infection in your log too

This line came back
C:\WINDOWS\System32\vkqrrc.exe

Let's try some more cleanup and hopefully finish up the next time

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Save these instructions to a Notepad file on desktop

Again in Notepad

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Name the file as fix.reg
Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]

Close out all Browser windows, stay disconnected from the Internet
Double click on fix.reg and allow it to merge to the registry

Open Killbox and follow the instructions for deleting these files

C:\WINDOWS\System32\vkqrrc.exe

C:\\WINDOWS\system32\gprml3911.dll

REBOOT when done

Back in Windows
Could you also Download and save to desktop ServiceFilter.zip
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this tor run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Post back here a Fresh hijackthis log
Post_This.txt
Run VX2 finder and click to find Vx2.betterinternet and post log
Could you also post one more DLLCompare log to be safe

Before you post back you may want to try and repair the Recycle bin
It's corrupted from the Hijacker

Start->Run, type cmd and hit Enter
At the prompt, type the following:

cd\ [hit enter] <--on the keyboard
cd Recycler [Enter]
Del Desktop.ini [Enter]

REBOOT and try deleting a test blank file

If it's not fixed
Download the following reg file:

http://www.kellys-korner-xp.com/regs_edits...erecyclebin.reg

Save the download and double click to run.
Answer yes to reg merge prompt.
Reboot and test with blank file to see if fixed.

If not....

3.) Go to a Command Prompt

At the prompt, type the following:

cd\ [hit enter]
cd Recycler [Enter]
attrib -h info*.* [Enter]
Del info*.* [enter]

Then test if it's fixed.

If not,

4.) go back to a command prompt and type:

cd\ [hit enter]
attrib -h -s c:\recycler [Enter]
del c:\recycler [enter]

Reboot and test again with blank file.

Masamune42 · « **Reply #16 on:** December 12, 2004, 01:10:01 AM »

Interesting. I used one of the fixes (#4) to repair the recycle bin, and it worked like a charm. Until I rebooted, and then the problem returned. So it's not fixed permanently.

Also, you asked me to use KillBox to kill "gprml3911.dll", it can't seem to find that file. And "vkqrrc.exe" seems to come back on reboot.

Anyways, here are the four log files.

Hijack This:

Logfile of HijackThis v1.97.7
Scan saved at 1:14:36 AM, on 12/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\knftti.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {3334504D-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/download/0/C...C4D/mp43dmo.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab

The Post_This file:

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Professional
Version: 5.1.2600
Dec 12, 2004 1:13:43 AM

===> Begin Service Listing <===

Unknown Service #1
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{28462489-2233-41a9-999e-5149e4de76a0}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 2
Service Name: ZESOFT
Display Name: ZESOFT
Start Mode: Auto
Start Name: LocalSystem
Description: ZESoft ...
Service Type: Own Process
Path: c:\windows\zeta.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: %AFå¤¶À¨
Display Name: Workstation NetLogon Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\msrm32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 90 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 2.203125 seconds.

VX2:

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
igfxcui
OptimalLayout
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---

And, finally, dll compare:

* DLLCompare Log version(1.0.0.97)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

1,296 items found: 1,296 files, 0 directories.
Total of file sizes: 264,127,282 bytes 251.89 M

Administrator Account = True

--------------------End log---------------------

guestolo · « **Reply #17 on:** December 12, 2004, 02:43:39 AM »

Thought you had more nasties hiding

Download and Save to desktop Download to desktop About:Buster
by RubbeR Ducky
Unzip it to that new folder===Open About:Buster and Check for Updates
Don't run a Scan yet

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>>SAVE AS
Name the file as search.reg
Important>>>Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

Quote

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Save the rest of these instructions to a Notepad file on desktop

Disconnect after you updated About:Buster

Go to START>>RUN>>type in cmd and hit Enter
At the prompt type in
sc stop ZESOFT
Hit Enter and wait a bit
Then type
sc delete ZESOFT
Hit Enter

Exit out of there

Restart your computer in Safe Mode
You can do this by tapping the F8 key on the keyboard when your system is booting up

Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name----Workstation NetLogon Service <--exact service name
Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Find and delete this file
c:\windows\zeta.exe <--file
C:\WINDOWS\System32\vkqrrc.exe

Go to Start | Run and type regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and expand Services in the left pane. Look for any entries named as:

%AFå¤¶À¨ or Workstation NetLogon Service

If any are listed, right-click that entry in and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and expand Root in the Left Pane. Look for any entries like this:

LEGACY %AFå¤¶À¨ or LEGACY Workstation NetLogon Service

If any are listed, right-click the entry and choose Delete.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again
Exit out of reg editor

Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time.
Save the log to a convenient location, I will want to see it later. Then hit exit

Double click on search.reg you saved to desktop earlier
and Allow it to merge to the Registry

Restart your computer back to Normal Mode

Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page

Download HOSTER
Unzip it to it's own folder
Open Hoster and click the "Restore Original Hosts" and press "OK". Exit Program.

You may want to try another virus scan at Trend Micro's too

Hopefully that get's it all

Post back a Fresh Hijackthis log from version 1.98.2
Please don't use version 1.97.7
Also post back a fresh Findit.bat log

Guest · « **Reply #18 on:** December 12, 2004, 11:18:54 AM »

Wow, I like your comment that you're getting close to beating this thing.
The only issue I had with the last set of instructions was that I couldn't find an instance of c:\windows\zeta.exe

Anyways, here are the logs:

Hijack This (Correct version!)

Logfile of HijackThis v1.98.2
Scan saved at 11:23:40 AM, on 12/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\knftti.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094141079170
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v6.cab

Findit.bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:01 AM <DIR> Microsoft
6 File(s) 433,327 bytes
2 Dir(s) 54,780,399,616 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

12/07/2004 10:37 PM <DIR> dllcache
12/05/2004 11:55 PM 512 Yfl8.cu6
11/30/2004 01:54 PM 7,305 mvhkr.log
11/29/2004 09:03 AM 389,120 l?ass.exe
11/27/2004 06:14 AM 29,696 appbj.exe
11/15/2004 07:24 AM 3,347 ewzpt.txt
11/11/2004 08:49 AM 3,347 tryrm.dat
09/02/2004 10:09 AM 488 WindowsLogon.manifest
09/02/2004 10:09 AM 488 logonui.exe.manifest
09/02/2004 10:09 AM 749 sapi.cpl.manifest
09/02/2004 10:09 AM 749 nwc.cpl.manifest
09/02/2004 10:09 AM 749 cdplayer.exe.manifest
09/02/2004 10:09 AM 749 wuaucpl.cpl.manifest
09/02/2004 10:09 AM 749 ncpa.cpl.manifest
13 File(s) 438,048 bytes
1 Dir(s) 54,780,395,520 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D05A-4984

Directory of C:\WINDOWS\System32

07/16/2003 03:25 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 54,780,395,520 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\gprml3911.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
appbj.exe Sat Nov 27 2004 6:14:38a A.SH. 29,696 29.00 K
ewzpt.txt Mon Nov 15 2004 7:24:18a A.SH. 3,347 3.27 K
lass~1.exe Mon Nov 29 2004 9:03:24a ..SHR 389,120 380.00 K
mvhkr.log Tue Nov 30 2004 1:54:30p A.SH. 7,305 7.13 K
tryrm.dat Thu Nov 11 2004 8:49:34a A.SH. 3,347 3.27 K
yfl8.cu6 Sun Dec 5 2004 11:55:28p ..SH. 512 0.50 K

6 items found: 6 files, 0 directories.
Total of file sizes: 433,327 bytes 423.17 K

And, finally, AboutBuster:

Scanned at: 11:18:29 AM on: 12/12/2004

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 20

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\riwof.dll
Removed! : C:\WINDOWS\System32\ipmyy.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 20

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

I'm going to go try and run Trend Micro's virus scan like you recommended, I'll post back how that goes (I also have an updated version of Norton 2004, perhaps I should give that a run too?)

Masamune42 · « **Reply #19 on:** December 12, 2004, 11:20:36 AM »

Whoops, yeah, that last post was me. Forgot that would happen.

News:

Author Topic: CWS Infection (Read 10076 times)

Guest