HJT Log/Find-It Log for another CoolWWWSearch.Bootconf et al

AphJN · #1 (**permalink**) 14-12-2004, 02:46 PM

Logfile of HijackThis v1.98.2
Scan saved at 7:47:02 AM, on 12/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\WebDrive\wdservice.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\UTIL\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\FaxTray.Exe /s
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\ExCnvt.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {317D68ED-6970-4BCB-9A79-B1B36B1BEDB7} (Jetnet Registration Control) - http://www.jetnet.com/jetnetweb/Jetn...terControl.CAB
O16 - DPF: {45DA3DB2-A997-4953-A591-23A64CCB2813} (Evolution_Report_Viewer.ReportViewer) - http://www.jetnet.com/jetnetweb/ReportViewer.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093267748162
O16 - DPF: {8E9B93D0-1DFA-4479-BA5B-D56865EFBA3B} (EvolutionLocalControl.NoteViewer) - http://www.jetnet.com/jetnetweb/Evol...calControl.CAB
O16 - DPF: {F64F4A04-338E-4888-BD35-0BC81D01431D} (RegisterAssist Class) - http://jetnet3/DartRegisterAssist.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jetnetmain.local
O17 - HKLM\Software\..\Telephony: DomainName = jetnetmain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A538D89-CEF7-4FB1-B77F-034D5F0034C2}: NameServer = 128.1.21.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jetnetmain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jetnetmain.local

-------------------------------------------------------------------------
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C is ADMNPC10_C
Volume Serial Number is 884A-3584

Directory of C:\WINDOWS\System32

12/14/2004 07:34 AM 224,307 guard.tmp
12/13/2004 02:35 PM 224,416 lv0m09d1e.dll
12/13/2004 02:29 PM 226,041 m4lsle371h.dll
11/05/2004 02:46 PM <DIR> dllcache
02/27/2004 08:11 AM 32 {C54A7EC5-D53E-4183-97F3-60C2668A023A}.dat
02/27/2004 08:11 AM 32 {5C0D5F6A-BCDA-4E46-9339-E687F00E46EE}.dat
02/27/2004 08:10 AM 32 {09588D3E-F962-4DA1-898E-D143D26495A4}.dat
02/26/2004 03:15 PM <DIR> Microsoft
6 File(s) 674,860 bytes
2 Dir(s) 31,331,221,504 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is ADMNPC10_C
Volume Serial Number is 884A-3584

Directory of C:\WINDOWS\System32

11/05/2004 02:46 PM <DIR> dllcache
02/27/2004 08:11 AM 32 {C54A7EC5-D53E-4183-97F3-60C2668A023A}.dat
02/27/2004 08:11 AM 32 {5C0D5F6A-BCDA-4E46-9339-E687F00E46EE}.dat
02/27/2004 08:10 AM 32 {09588D3E-F962-4DA1-898E-D143D26495A4}.dat
01/01/2002 02:54 PM 488 logonui.exe.manifest
01/01/2002 02:54 PM 488 WindowsLogon.manifest
01/01/2002 02:54 PM 749 wuaucpl.cpl.manifest
01/01/2002 02:54 PM 749 nwc.cpl.manifest
01/01/2002 02:54 PM 749 sapi.cpl.manifest
01/01/2002 02:54 PM 749 ncpa.cpl.manifest
01/01/2002 02:54 PM 749 cdplayer.exe.manifest
10 File(s) 4,817 bytes
1 Dir(s) 31,331,209,216 bytes free

---------- Files Named "Guard" -------------

Volume in drive C is ADMNPC10_C
Volume Serial Number is 884A-3584

Directory of C:\WINDOWS\System32

12/14/2004 07:34 AM 224,307 guard.tmp
1 File(s) 224,307 bytes
0 Dir(s) 31,331,209,216 bytes free

--------- Temp Files in System32 Directory --------

Volume in drive C is ADMNPC10_C
Volume Serial Number is 884A-3584

Directory of C:\WINDOWS\System32

12/14/2004 07:34 AM 224,307 guard.tmp
1 File(s) 224,307 bytes
0 Dir(s) 31,331,209,216 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"{D8320C9E-70A9-4D74-9A23-5629F015086E}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"DllName"="C:\\WINDOWS\\System32\\NavLogon.dll "
"StartShell"="NavStartShellEvent"
"Logoff"="NavLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hrjo0513e.dl l"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\GUARD.TMP +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
guard.tmp Tue Dec 14 2004 7:34:48a ..S.R 224,307 219.05 K
lv0m09~1.dll Mon Dec 13 2004 2:35:22p ..S.R 224,416 219.16 K
m4lsle~1.dll Mon Dec 13 2004 2:29:16p ..S.R 226,041 220.74 K

3 items found: 3 files, 0 directories.
Total of file sizes: 674,764 bytes 658.95 K
-------------------------------------------------------------------------
--- Search result list ---
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-329068152-1972579041-682003330-1282\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3
Common hijacker: Redirected host (Redirected host, nothing done)
Common hijacker: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Bootconf: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Loadbat: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Msconfd: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Oslogo: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Tapicfg: Redirected host (Redirected host, nothing done)
CoolWWWSearch.Xmlmimefilter: Redirected host (Redirected host, nothing done)
IGetNet: Redirected host (Redirected host, nothing done)
--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2004-12-01 Includes\Dialer.sbi
2004-12-02 Includes\Hijackers.sbi
2004-12-01 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-12-01 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2004-12-01 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2004-11-29 Includes\Tracks.uti
2004-12-01 Includes\Trojans.sbi
================================================== ========

These logs were taken this morning. I have been researching and trying every possible fix I have found. Short of recovery consol, ripping the HD out or Formatting the HD, nothing I have tried has worked. Killbox doesnt even remove the 218kb files or guard.tmp. Please, any assistance you all can provide would be greatly appreciated. This computer really can not be reformated due to some very time consuming reinstalls. The other side is that I would like to know how to fix this without the destruction of the HD so that anyone else, and there will be, gets this mess. Again, Thank you very much for any and all assistance and help.

Andy

owen · #2 (**permalink**) 15-12-2004, 09:46 PM

Formatting the HDD is a bit drastic for the extra trouble it causes.

Could you post one of these logs:

Could you please download DLL Compare from here.

Click Run Locate.com.

When it says Completed scan, click Compare at the bottom. Let it do its thing.

Click Make a Log of what was found.

The logfile will be created and is called log.txt. It will be located in the same location as the DLLCompare file.

Paste the log back here.

AphJN · #3 (**permalink**) 16-12-2004, 01:49 PM

I have re-run Spybot and Ad-aware with latest defs and versions. In the process someone in their infinite wisdom decided to install SP2 (not an issue with me) and A square'd Guard something or other. She uses Orbitz' Sidesearch for travel arrangements so I can not get ride of that one.
Thank you for all your help.

Andy

Here is the DLLCompare log and another HJT with V 1.99

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dn6801~1.dll Wed Dec 15 2004 8:43:52a ..S.R 224,806 219.54 K
C:\WINDOWS\SYSTEM32\irlql5~1.dll Tue Dec 14 2004 3:49:50p ..S.R 223,043 217.81 K
C:\WINDOWS\SYSTEM32\m4lsle~1.dll Mon Dec 13 2004 2:29:16p ..S.R 226,041 220.74 K
C:\WINDOWS\SYSTEM32\o6lu0g~1.dll Wed Dec 15 2004 9:24:22a ..S.R 224,806 219.54 K
________________________________________________

1,313 items found: 1,313 files (4 H/S), 0 directories.
Total of file sizes: 267,178,005 bytes 254.80 M

Administrator Account = True

--------------------End log---------------------

Logfile of HijackThis v1.99.0
Scan saved at 7:39:45 AM, on 12/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\WebDrive\wdservice.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Castelle\FaxPress\FaxTray.Exe
C:\Program Files\Castelle\FaxPress\ExCnvt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\UTIL\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CstlFaxTray] C:\Program Files\Castelle\FaxPress\FaxTray.Exe /s
O4 - HKLM\..\Run: [FPEXCNVT] C:\Program Files\Castelle\FaxPress\ExCnvt.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [kalvsys] c:\windows\system32\kalvnnh32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {317D68ED-6970-4BCB-9A79-B1B36B1BEDB7} (Jetnet Registration Control) - http://www.jetnet.com/jetnetweb/Jetn...terControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jetnetmain.local
O17 - HKLM\Software\..\Telephony: DomainName = jetnetmain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A538D89-CEF7-4FB1-B77F-034D5F0034C2}: NameServer = 128.1.21.50
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jetnetmain.local
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WebDrive Service - Unknown - C:\Program Files\WebDrive\wdservice.exe
O23 - Service: VNC Server - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe

owen · #4 (**permalink**) 16-12-2004, 06:32 PM

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\SYSTEM32\dn6801~1.dll
C:\WINDOWS\SYSTEM32\irlql5~1.dll
C:\WINDOWS\SYSTEM32\m4lsle~1.dll
C:\WINDOWS\SYSTEM32\o6lu0g~1.dll

When KillBox has rebooted your system, post a fresh log here.

AphJN · #5 (**permalink**) 17-12-2004, 08:08 PM

TPTB have wiped the drive and installed everything fresh. So this infection is now overwith. SP2 has been installed and an extra firewall was added (have a network FW for the company but they added another FW to her computer) I will keep monitoring to see when the automated fix is in. I was able to fix one of my researcher's PCs following Plan b (recovery consol) since I could take her's down with no impact to her work.

Andy

owen · #6 (**permalink**) 17-12-2004, 08:34 PM

Preventing it returning

After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.

1. Visit Windows Update
Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.

2. Download Antivirus Software-
If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.

3. Download a Firewall-
If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sygate Personal Firewall, which happens to be freeware.

4. Spyware Scanners-
It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already been told to download one earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.

5. Prevent Spyware slipping through Internet Explorer-
Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.

6. Constant Spyware Protection-
It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.

All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.

And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!