Sign in to follow this  
NetCog

coolwwwsearch.smartsearch and antispywarebox.com

Recommended Posts

Yesterday one of my users' laptops started getting the signs described in http://www.lavasoftsupport.com/index.php?showtopic=878 - the professional looking popups and semi-transparent alerts, accompanied by about:blank redirection to www. antispywarebox .com.

Google searching "antispywarebox" would redirect the browser to that website. Attempting to use trendmicro's online spyware scan would act normally (click on links, etc) until I click on the actual link to the spyware scan page which would then redirect to "antispywarebox .com".

 

I've followed the instructions on the three or four threads posted so far on the smit or lpo where applicable. I've done some manual removals of assorted keys and files/folders but have not yet run through the suggestions posted by the user "dom" found here: http://www.lavasoftsupport.com/index.php?showtopic=878&st=20

 

After running through the instructions on first page of the above referenced thread, I restarted and found that first explore.exe started w/ a cpu pegged and memory leak, I then ran spybot again maybe something else (it was late last night) then restarted to find iexplorer.exe having the same mem usage leak problem. Ultimately after a couple restarts and removal of some startup items it stopped being a problem. What was removed was "normal" - ipodservice, itunesservice, among similar plugins. I did remove 3 ig?x?????.exe processes from startup, one of which was igfxpers.exe, don't remember the others.

 

I am still having redirection despite being offline and trying to get a different starting page for IE.

Recent scans done today prior to posting:

Adaware - uptodate and clean

Windows Defender - uptodate and clean (p.s. had to connect to internet...the verification requiring net access is a sucky thing on an infected computer)

Spybot - uptodate and one result:

CoolWWWSearch.SmartSearch > C:\windows\system32\users32.exe

 

I have already removed this entry multiple times by Spybot, and by hand (directory and registry). I don't want to just create a limited permission placeholder as it won't solve the problem and I haven't been able to identify any other 'tag' for the infection.

 

I was using Symantec AV (enterprise ed) but have since uninstalled in case the process blocker was stopping my scanning tools, it had been throwing up alerts and "process blocked" messages. Will download AVG if necessary or might connect to network (network AV, router/firewalled) when I'm more convinced the main malware is gone. NOTE: PC has not been on the internet or network since AV was removed.

 

I am also running as many of these tools as possible from USB key. Adaware, Ewido, Spybot S&D, etc have been installed to infected computer.

 

I guess the first step is to now post HJ log....here goes...

Logfile of HijackThis v1.99.1

Scan saved at 10:07:27 AM, on 6/8/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

E:\tools\hj\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adb...//www.yahoo.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114034937577

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.ampackcorp.com/Remote/msrdp.cab

O16 - DPF: {8D95D14D-4AFB-4885-8BF1-FB09FD72FCD2} (eBLVD ActiveX Control) - https://www.eblvd.com/control/launcher/3.2/ebie.cab

O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.amtechsoftware.net/viewer/activ...tivexviewer.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AMPACKCORP.local

O17 - HKLM\Software\..\Telephony: DomainName = AMPACKCORP.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AMPACKCORP.local

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O23 - Service: BQT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\tech\LOCALS~1\Temp\BQT.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

 

 

Upon review I do see

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

Which is something referenced by user "dom", but I'm leaving it for now incase it's needed as a flag or reference point for a fix.

 

 

I am willing to go through the steps again, but the steps for BFU and Ediwo in SafeMode were completed yesterday. At no time did IE come up clean. A few times Spybot returned Clean.

NOTE: I don't know whether it's a result of no net connection or whether I've removed some bit of software but during most of this process there were no alerts or popups to get my computer scanned. Again, any popups or alerts were the very professional, nearly Microsoft-ian format including use of the Windows Security shield icon and Windows Security Center title.

 

[edit]

I scanned early on w/ cwshredder.

First it didn't find anything

Later it found 1 which was removed (around noon yesterday) - cws.yexe

I just scanned after re-reading my post and thinking "duh" - found cws.smartsearch and cws.msconfig

 

My next step would be to let CWShredder and Spybot do their jobs and clean the infection, but since I've posted here I'll wait to see if there's something else I should do first, especially as I've "cleaned" earlier and stuff is still surfacing and it's not acting like the other examples I've seen.

Share this post


Link to post
Share on other sites

That BHO looks like a new nasty...I need to have you send me a copy to examine

 

Go here: http://www.thespykiller.co.uk/forum/index.php?board=1.0

to upload the file as an attachment

 

Just press new topic (Make the subject: For CalamityJane NetCog from at LS ),

fill in a short message & then scoll down to the section that says "Attach", press the browse button and then navigate to & select this file on your computer,

If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press *Post* to upload the files

 

 

File to upload named below in bold:

C:\WINDOWS\system32\adobepnl.dll

 

Press the *Post* button to upload the file

 

Note: You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply back to you here in your topic once I have a moment to examine the file.

Share this post


Link to post
Share on other sites

And then if you could generate a log from this tool please:

Download Silent runners here (follow the instructions on that page)

http://www.silentrunners.org/sr_scriptuse.html

 

If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.

Wait until there is a All Done message !!, Then open and post the log next to it.

Share this post


Link to post
Share on other sites

I will follow those instructions shortly.

 

To note:

http://cwshredder.net/cwshredder/cwschronicles.html#smartsearch

I found

c:\Windows\system32\users32.exe

 

Though not on the list I also found, might be legit files or might be infected they caught my eye due to similarities to the listed files on the above link:

system32\inetcfg.dll (also other similarly named)

system32\w32tm.exe (also other non-.exe files similarly named)

system32\win32k.sys

system32\win32spl.dll

system32\win32em.dll

system32\winmsd.exe

 

 

Silent Runner log

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]

"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]

"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]

"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon" [MS]

"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5E8FA924-DEF0-4E71-8A82-A11CA0C1413B}\(Default) = "*b" (unwritable string)

-> {HKLM...CLSID} = "adobepnl.ADOBE_PANEL"

\InProcServer32\(Default) = "C:\WINDOWS\system32\adobepnl.dll" ["Laguna Media"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {HKLM...CLSID} = "Display Panning CPL Extension"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"

-> {HKLM...CLSID} = "RecordNow! SendToExt"

\InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\MNIEZ2\Office\soa800.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

-> {HKLM...CLSID} = "iTunes"

\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

-> {HKLM...CLSID} = "Shell Search Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"

-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"

\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

INFECTION WARNING! IntelWireless\DLLName = "C:\Program Files\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]

 

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {HKLM...CLSID} = "Ctest Object"

\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

 

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {HKLM...CLSID} = "Ctest Object"

\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\TonyS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

 

 

Enabled Screen Saver:

---------------------

 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]

 

 

Startup items in "tonys" & "All Users" startup folders:

-------------------------------------------------------

 

C:\Documents and Settings\TonyS\Start Menu\Programs\Startup

"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Explorer Bars

 

Dormant Explorer Bars in "View, Explorer Bar" menu

 

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

EvtEng, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

MSSQLSERVER, MSSQLSERVER, "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS]

RegSrvc, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]

Spectrum24 Event Monitor, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]

Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

WLANKEEPER, WLANKEEPER, "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe" ["Intel® Corporation"]

 

 

Print Monitors:

---------------

 

HKLM\System\CurrentControlSet\Control\Print\Monitors\

HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]

LIDIL Language Monitor\Driver = "hpzll3xu.dll" ["Hewlett-Packard Company"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Microsoft Office Live Meeting Document Writer Monitor\Driver = "lmdimon.dll" [MS]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 43 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 8 seconds.

---------- (total run time: 67 seconds)

 

 

Thanks CJ

Share this post


Link to post
Share on other sites

I haven't reviewed the SilentRunner's log yet, but this file you uploaded is definitely part of a new Smitfraud Hijacker. I'll get this submitted to all the various security companies for detection.

 

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

 

Sophos added it to their definitions yesterday. See here (Advanced tab has more details)

Troj/SpyDldr-G

http://www.sophos.com/security/analyses/trojspydldrg.html

 

Troj/SpyDldr-G is a Trojan for the Windows platform.

 

The Trojan creates fake virus alerts and faux EXE files on the infected computer. The Trojan then alerts the presence of viral infections in the created EXE files.

 

Troj/SpyDldr-G downloads and installs a suite of adware and Trojan components from various sources.

 

Troj/SpyDldr-G may also create the following files, which may be deleted:

 

<Windows folder>\about_spyware_bg.gif (downloaded file - unavailable)

<Windows folder>\adware-sheriff-box.gif (harmless image file)

<Windows folder>\adware-sheriff-header.gif (harmless image file)

<Windows folder>\alexaie.dll (randomly generated content)

<Windows folder>\alxie328.dll (randomly generated content)

<Windows folder>\alxtb1.dll (randomly generated content)

<Windows folder>\antispylab-logo.gif (harmless image file)

<Windows folder>\blue-bg.gif (harmless image file)

<Windows folder>\BTGrab.dll (randomly generated content)

<Windows folder>\buy-now-btn.gif (harmless image file)

<Windows folder>\close-bar.gif (harmless image file)

<Windows folder>\corner-left.gif (harmless image file)

<Windows folder>\corner-right.gif (harmless image file)

<Windows folder>\dlmax.dll (randomly generated content)

<Windows folder>\facts.gif (harmless image file)

<Windows folder>\footer.gif (harmless image file)

<Windows folder>\free-scan-btn.gif (harmless image file)

<Windows folder>\h-line-gradient.gif (harmless image file)

<Windows folder>\header-bg.gif (harmless image file)

<Windows folder>\infected.gif (harmless image file)

<Windows folder>\info.gif (harmless image file)

<Windows folder>\no-icon.gif (harmless image file)

<Windows folder>\Pynix.dll (randomly generated content)

<Windows folder>\reg-freeze-box.gif (harmless image file)

<Windows folder>\reg-freeze-header.gif (harmless image file)

<Windows folder>\remove-spyware-btn.gif (harmless image file)

<Windows folder>\spyware-sheriff-box.gif (harmless image file)

<Windows folder>\spyware-sheriff-header.gif (harmless image file)

<Windows folder>\star-grey.gif (harmless image file)

<Windows folder>\star.gif (harmless image file)

<Windows folder>\susp.exe (randomly generated content)

<Windows folder>\true-stories.gif (harmless image file)

<Windows folder>\warning-bar-ico.gif (harmless image file)

<Windows folder>\win-sec-center-logo.gif (harmless image file)

<Windows folder>\windows-compatible.gif (harmless image file)

<Windows folder>\yes-icon.gif (harmless image file)

<Windows folder>\ZServ.dll (randomly generated content)

<Windows system folder>\a.exe (randomly generated content)

<Windows system folder>\adobepnl.dll (also detected as Troj/SpyDldr-G)

<Windows system folder>\alxres.dll (randomly generated content)

<Windows system folder>\bridge.dll (randomly generated content)

<Windows system folder>\dailytoolbar.dll (randomly generated content)

<Windows system folder>\jao.dll (randomly generated content)

<Windows system folder>\questmod.dll (randomly generated content)

<Windows system folder>\reger.exe (detected as Troj/FakeAle-H)

<Windows system folder>\runsrv32.dll (randomly generated content)

<Windows system folder>\runsrv32.exe (randomly generated content)

<Windows system folder>\tcpservice2.exe (randomly generated content)

<Windows system folder>\txfdb32.dll (randomly generated content)

<Windows system folder>\udpmod.dll (randomly generated content)

<Windows system folder>\users32.exe (also detected as Troj/SpyDldr-G)

<Windows system folder>\wstart.dll (randomly generated content)

 

where the files marked "randomly generated content" are meant to appear as legitimate program files yet are filled with harmless random data.

 

And detected at VirusTotal:

Complete scanning result of "adobepnl.dll", received in VirusTotal at 06.08.2006, 18:44:15 (CET).

 

Antivirus Version Update Result

AntiVir 6.35.0.10 06.08.2006 no virus found

Authentium 4.93.8 06.08.2006 no virus found

Avast 4.7.844.0 06.08.2006 no virus found

AVG 386 06.08.2006 no virus found

BitDefender 7.2 06.08.2006 no virus found

CAT-QuickHeal 8.00 06.08.2006 no virus found

ClamAV devel-20060426 06.08.2006 no virus found

DrWeb 4.33 06.08.2006 no virus found

eTrust-InoculateIT 23.72.31 06.07.2006 no virus found

eTrust-Vet 12.6.2248 06.08.2006 no virus found

Ewido 3.5 06.08.2006 no virus found

Fortinet 2.77.0.0 06.08.2006 no virus found

F-Prot 3.16f 06.08.2006 no virus found

Ikarus 0.2.65.0 06.08.2006 no virus found

Kaspersky 4.0.2.24 06.08.2006 no virus found

McAfee 4780 06.08.2006 no virus found

Microsoft 1.1441 06.08.2006 no virus found

NOD32v2 1.1586 06.08.2006 no virus found

Norman 5.90.21 06.08.2006 no virus found

Panda 9.0.0.4 06.08.2006 no virus found

Sophos 4.06.0 06.08.2006 Troj/SpyDldr-G

Symantec 8.0 06.08.2006 no virus found

TheHacker 5.9.8.156 06.08.2006 no virus found

UNA 1.83 06.08.2006 no virus found

VBA32 3.11.0 06.08.2006 no virus found

 

Aditional Information

File size: 30720 bytes

MD5: 10fd22b01d8b0dde1fb330a80fb0b9d5

SHA1: ee6a846bf81167118d0ea59dee9ace2561d5804e

 

Give me a few minutes to check out the log you posted.

Share this post


Link to post
Share on other sites

I don't see anything in the SilentRunner's log except the BHO and we can use Hijackthis to get rid of that.

 

Close all browsers and any open windows so that only Hijackthis is open.

Open HijackThis and do a *scan only*

 

When it finishes, checkmark this entry and then press the *fix checked* button

 

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

 

Reboot the PC. Let me know if you see any remaining problems?

Share this post


Link to post
Share on other sites

I think your Symantec AV is damaged. There should be a file next to this entry and it appears to be missing

 

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

 

I would recommend that you uninstall/reinstall the AV program to make sure it is working properly.

Share this post


Link to post
Share on other sites

Stay tuned...I have a couple other researchers looking at this thread.

 

Did you run the SmitfraudFix tool? If not could you do so now and post the log from it:

 

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

 

5. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

........................................................

Next, a log from this tool would be helpful

 

* Download WinPFind http://www.bleepingcomputer.com/files/winpfind.php

* Right Click the Zip Folder and Select "Extract All"

* Extract it somewhere you will remember like the Desktop

* Dont do anything with it yet!

 

 

Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

 

Doubleclick WinPFind.exe

 

* Now Click "Start Scan"

* It will scan the entire System, so please be patient!

* Once the Scan is Complete

o Reboot back to Normal Mode!

o Go to the WinPFind folder

o Locate WinPFind.txt

o Place those results in the next post!.

Share this post


Link to post
Share on other sites

RE AV: yea I had uninstalled it. The system is setup so everything is run from the server, all options are disabled on the client, so "allowing scripts" or letting the scanners do a complete job by disabling the AV alerts didn't appear to be an option either.

 

 

RE System: Well so far so good. IE opens up as it should.

 

I used HJ to delete the adobepnl file and manually deleted users32.exe.

I have since reinstalled AV, scanned, and no problems

The machine does not appear to have any further problems.

 

 

RE smitfraudfix: That was one of the first things I did, don't remember the results.

 

 

RE winpfind: Do you still want me to do this?

Share this post


Link to post
Share on other sites

Hello all,

 

I am havign the EXACT same issue as the poster. I will do the same fix when I get home and report my results as well.

 

The scneario is exactly the same - same popups - same processes running.

 

If need be I will post my HJT log in a new thread if my system is not resolved in the same manner.

 

You are not alone!

 

It is frustrating when all the cleanings from cwshredder and spybot are shortlived as well as other main commercial AV scanners never finding this issue!

 

I will add my findings when I get home later today.

 

Awesome work CalamityJane! Your boss has gotta give you a raise. You are going above and beyond for us all.

 

p.s. I have done smitfraudFix as well to no avail.

Share this post


Link to post
Share on other sites

Tolan, I really need a copy of the users32.exe so we can submit it to the Antispyware companies for detection and cure. I have the BHO but need the exe. Please do this for me

 

Go here: http://www.thespykiller.co.uk/forum/index.php?board=1.0

to upload the file as an attachment

 

Just press new topic (Make the subject: For CalamityJane from Tolan at LS ),

fill in a short message & then scoll down to the section that says "Attach", press the browse button and then navigate to & select this file on your computer,

If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press *Post* to upload the files

 

File to upload named below in bold:

 

C:\WINDOWS\system32\users32.exe

 

Press the *Post* button to upload the file

 

Note: You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there and will reply back to you here in your topic once I have a moment to examine the file.

 

And then yes, start your own new topic as there may be extra entries to deal with as well. Each victim of this has had some transponder and other different files too.

Share this post


Link to post
Share on other sites

I guess I will run that winpfind...

 

I was going to post this on a new thread for reference and clarification but since it still applies to an active problem...

Referencing the beginning discussion here:

http://www.lavasoftsupport.com/index.php?showtopic=878&st=20

 

 

User.exe is referenced as a bad thing via http://www.symantec.com/avcenter/venc/data...aler.pport.html

 

And I am still seeing Users32.exe in my System32 directory.

 

\System32 contains:

User32.dll

User.exe

Userenv.dll

Userinit.exe

Users32.exe

 

 

The adobepnl.dll has NOT returned.

My system currently sees NO visible problems.

I will edit to include winpfind results. Maybe it's an invalid question till I see the log but if the system isn't having noticable problems, are those user???.??? files really malware or are they valid system files?

Share this post


Link to post
Share on other sites

SMITFRAUDFIX

 

SmitFraudFix v2.55

 

Scan done at 16:10:15.92, Thu 06/08/2006

Run from E:\tools\programs\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\bg.gif Deleted

C:\WINDOWS\close-bar.gif Deleted

C:\WINDOWS\infected.gif Deleted

C:\WINDOWS\star.gif Deleted

C:\WINDOWS\warning-bar-ico.gif Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

WINPFIND

 

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

 

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

 

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600

Internet Explorer Version: 6.0.2900.2180

 

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

 

Checking %SystemDrive% folder...

 

Checking %ProgramFilesDir% folder...

 

Checking %WinDir% folder...

 

Checking %System% folder...

PEC2 8/4/2004 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc

PTech 5/17/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL

PECompact2 5/3/2006 11:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 5/3/2006 11:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 8/4/2004 5:00:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll

UPX! 6/7/2006 7:28:32 AM 13312 C:\WINDOWS\SYSTEM32\qjrkvy.exe

Umonitor 8/4/2004 5:00:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll

UPX! 6/7/2006 7:26:12 AM 8704 C:\WINDOWS\SYSTEM32\rpnqrdnm.exe

winsync 8/4/2004 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

UPX! 6/7/2006 7:28:32 AM 13312 C:\WINDOWS\SYSTEM32\winflash.dll

 

Checking %System%\Drivers folder and sub-folders...

 

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

 

 

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

6/8/2006 4:19:48 PM S 2048 C:\WINDOWS\bootstat.dat

6/8/2006 3:58:34 PM S 268 C:\WINDOWS\CSC\00000001

6/8/2006 3:58:34 PM S 86496 C:\WINDOWS\CSC\00000002

6/8/2006 12:53:40 PM S 168 C:\WINDOWS\CSC\00000003

6/7/2006 4:32:32 PM S 84896 C:\WINDOWS\CSC\csc1.tmp

6/8/2006 9:43:40 AM S 1984 C:\WINDOWS\CSC\d1\00000028

6/8/2006 1:49:26 PM S 448 C:\WINDOWS\CSC\d1\00000038

6/8/2006 3:58:34 PM S 240448 C:\WINDOWS\CSC\d1\000000A8

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009B0

6/8/2006 1:49:26 PM S 4800 C:\WINDOWS\CSC\d1\000009B8

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009C0

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009C8

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d1\000009D0

6/8/2006 3:58:34 PM S 448 C:\WINDOWS\CSC\d2\00000011

6/8/2006 9:43:40 AM S 6080 C:\WINDOWS\CSC\d2\00000029

4/17/2006 4:28:12 PM S 64 C:\WINDOWS\CSC\d2\00000929

6/8/2006 3:58:34 PM S 192 C:\WINDOWS\CSC\d2\00000939

5/17/2006 7:41:26 AM S 192 C:\WINDOWS\CSC\d2\000009B1

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009B9

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009C1

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009C9

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d2\000009D1

6/8/2006 1:10:22 PM S 320 C:\WINDOWS\CSC\d2\00000A99

6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d3\00000012

6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d3\0000001A

4/11/2006 4:59:18 PM S 320 C:\WINDOWS\CSC\d3\00000032

4/17/2006 6:04:56 PM S 576 C:\WINDOWS\CSC\d3\00000992

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d3\000009BA

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d3\000009C2

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d3\000009CA

6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d3\000009F2

6/8/2006 9:43:40 AM S 2368 C:\WINDOWS\CSC\d3\00000A02

6/8/2006 1:49:26 PM S 3520 C:\WINDOWS\CSC\d4\00000013

6/8/2006 3:58:34 PM S 8256 C:\WINDOWS\CSC\d4\00000913

6/2/2006 7:46:08 AM S 576 C:\WINDOWS\CSC\d4\0000092B

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d4\000009BB

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d4\000009C3

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d4\000009CB

6/8/2006 12:49:06 PM S 1216 C:\WINDOWS\CSC\d4\000009F3

4/17/2006 7:40:48 PM S 960 C:\WINDOWS\CSC\d4\00000A13

6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d5\0000002C

6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d5\0000003C

6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d5\0000095C

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d5\000009BC

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d5\000009C4

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d5\000009CC

6/8/2006 9:43:40 AM S 1344 C:\WINDOWS\CSC\d5\00000A0C

6/8/2006 1:10:22 PM S 6592 C:\WINDOWS\CSC\d5\00000A6C

6/8/2006 1:01:44 PM S 64 C:\WINDOWS\CSC\d5\00000A94

6/8/2006 1:01:48 PM S 64 C:\WINDOWS\CSC\d5\00000A9C

6/8/2006 1:49:26 PM S 1344 C:\WINDOWS\CSC\d6\00000015

4/11/2006 4:46:54 PM S 832 C:\WINDOWS\CSC\d6\00000035

6/8/2006 1:47:44 PM S 320 C:\WINDOWS\CSC\d6\0000003D

6/8/2006 1:49:26 PM S 192 C:\WINDOWS\CSC\d6\0000095D

4/17/2006 6:04:56 PM S 576 C:\WINDOWS\CSC\d6\00000985

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d6\000009BD

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d6\000009C5

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d6\000009CD

6/8/2006 1:01:44 PM S 64 C:\WINDOWS\CSC\d6\00000A95

6/8/2006 1:01:48 PM S 64 C:\WINDOWS\CSC\d6\00000A9D

6/8/2006 1:49:26 PM S 960 C:\WINDOWS\CSC\d7\0000002E

4/17/2006 6:04:50 PM S 64 C:\WINDOWS\CSC\d7\0000095E

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009AE

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009BE

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009C6

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d7\000009CE

6/8/2006 9:43:40 AM S 704 C:\WINDOWS\CSC\d7\000009FE

6/8/2006 1:46:08 PM S 448 C:\WINDOWS\CSC\d7\00000A96

6/8/2006 3:58:34 PM S 1344 C:\WINDOWS\CSC\d8\00000017

4/11/2006 4:46:54 PM S 5440 C:\WINDOWS\CSC\d8\0000002F

6/8/2006 1:49:26 PM S 320 C:\WINDOWS\CSC\d8\00000037

6/8/2006 1:49:26 PM S 4416 C:\WINDOWS\CSC\d8\00000927

4/17/2006 6:04:56 PM S 320 C:\WINDOWS\CSC\d8\0000098F

6/8/2006 3:58:34 PM S 4288 C:\WINDOWS\CSC\d8\000009AF

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d8\000009BF

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d8\000009C7

4/17/2006 6:04:56 PM S 64 C:\WINDOWS\CSC\d8\000009CF

6/8/2006 4:19:42 PM H 8192 C:\WINDOWS\system32\config\default.LOG

6/8/2006 4:20:16 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG

6/8/2006 4:19:50 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG

6/8/2006 4:20:28 PM H 86016 C:\WINDOWS\system32\config\software.LOG

6/8/2006 4:19:54 PM H 1003520 C:\WINDOWS\system32\config\system.LOG

6/8/2006 9:06:26 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG

4/17/2006 10:51:32 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2ad220af-60d4-4989-a6fa-75b5351cd2de

4/17/2006 10:51:32 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred

6/8/2006 3:58:40 PM H 6 C:\WINDOWS\Tasks\SA.DAT

 

Checking for CPL files...

Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl

12/15/2003 12:09:34 PM 24576 C:\WINDOWS\SYSTEM32\BACSCPL.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

Intel Corporation 9/20/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl

Sun Microsystems, Inc. 11/10/2005 2:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl

SigmaTel Inc. 7/20/2004 3:14:06 PM 102481 C:\WINDOWS\SYSTEM32\stac97.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl

Microsoft Corporation 8/4/2004 5:00:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

Intel Corporation 8/20/2004 8:53:06 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl

Intel Corporation 9/20/2005 9:35:12 AM 77824 C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\igfxcpl.cpl

 

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

 

Checking files in %ALLUSERSPROFILE%\Startup folder...

8/11/2004 5:15:06 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

3/10/2006 11:30:48 AM 1908 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk

 

Checking files in %ALLUSERSPROFILE%\Application Data folder...

8/11/2004 5:07:12 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

5/12/2006 2:35:16 PM 15911 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

11/29/2005 12:15:18 PM 1763 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

 

Checking files in %USERPROFILE%\Startup folder...

8/11/2004 5:15:06 PM HS 84 C:\Documents and Settings\tech\Start Menu\Programs\Startup\desktop.ini

 

Checking files in %USERPROFILE%\Application Data folder...

8/11/2004 5:07:12 PM HS 62 C:\Documents and Settings\tech\Application Data\desktop.ini

 

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

SV1 =

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

 

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu

{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu

{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}

= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}

Explorer Band = %SystemRoot%\system32\shdocvw.dll

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

Synchronization Manager %SystemRoot%\system32\mobsync.exe /logon

ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

vptray C:\PROGRA~1\SYMANT~1\VPTray.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

IMAIL Installed = 1

MAPI Installed = 1

MSFS Installed = 1

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup

ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

iPodService 3

ewido security suite guard 2

ewido security suite control 2

WinDefend 2

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IntelWireless

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ifrmewrk

hkey HKLM

command C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

inimapping 0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

system.ini 0

win.ini 0

bootini 0

services 2

startup 2

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

NoWelcomeScreen 1

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

 

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun 145

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

Shell = Explorer.exe

System =

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui

= igfxdev.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\IntelWireless

= C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon

= C:\WINDOWS\system32\NavLogon.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 6/8/2006 4:27:13 PM

Share this post


Link to post
Share on other sites

I was fairly sure when this hit my computer and so searched under the time. It's associated with an application file called qjrkvy in System 32. There are numerous other application files that came down with it. e.g. tcpservice2, runsrv32, a (all in System 32), plus various dll's and GIF files.

 

Find qjrkvy and search on the time it arrived and you'll get the others. First time that anything has got past my Firewall and Antivirus, so unsure how to remove. Therefore my question is, having found them, can I just hit delete??

 

 

Kevin

Share this post


Link to post
Share on other sites

On my clean system here, in the System32 folder, also exist the files:

user32.dll

user.exe

userenv.dll

userinit.exe

 

It is only this file that is the infected one: Users32.exe in the System32 folder

You may need to reboot into SAFE MODE to delete it.

 

Let me know, if you are unable to delete even in safe mode.

Share this post


Link to post
Share on other sites
I was fairly sure when this hit my computer and so searched under the time. It's associated with an application file called qjrkvy in System 32. There are numerous other application files that came down with it. e.g. tcpservice2, runsrv32, a (all in System 32), plus various dll's and GIF files.

 

Find qjrkvy and search on the time it arrived and you'll get the others. First time that anything has got past my Firewall and Antivirus, so unsure how to remove. Therefore my question is, having found them, can I just hit delete??

Kevin

 

Heh, it's even described/titled "Trojan Factory"

 

I'll do that search and upload all the files I've got to http://www.thespykiller.co.uk/forum/index.php?topic=1788.0

 

At this point, and just as an observation, it looks like adobepnl.dll is the primary file. The last stint of cwshredder, spybot, and HJ (maybe something else...anyways) removed a bunch of stuff including an infected.gif. Since rebooting, and my computer appearing to be okay the only thing that shows up is the qjrkvy.exe and the users32.exe.

 

Both have now been deleted from in safe mode.

I rebooted back to normal mode and the files have stayed gone.

 

 

I did that search on date range of 6/7/06 to 6/8/06. The 7th was the morning of infection.

I have a bunch of stuff but what I'm finding interesting is a series of files timed for 7:19am and 7:26am exactly for both the 7th and the 8th. Many of them are referenced to windows\prefetch and many others are referenced to windows\pchealth. Among the latter are a series of XML files labeled "CollectedData_94##.xml". Those particular files are are in windows\pchealth\helpctr\datacoll.

 

I can copy the files over to USB and upload them (at least the suspicious ones) if you'd like. But I'd also want to include the location where they are currently. Is there anyway to print the view of windows explorer of file name, folder location, size, and/or date modified? -- Or does it even matter and the important stuff is in the files themselves?

 

I'm definately curious about the pchealth folder.

Share this post


Link to post
Share on other sites

I'm new to this board but after losing a day of productivity due to this issue and finally resolving it this morning I can't thank you enough.

 

Following your recovery steps I was able to restore my computer to "normal."

 

If we can catch the punks that wrote this I would like one shot at them and I'll wait in line to do it.

 

Something has to be done. I'm for public lynchings.

Share this post


Link to post
Share on other sites

CJ - I know you're busy and if I could bring you a cake, cookies or maybe some BBQ ribs I would. Thanks for the help and time you've been spending on this new nasty.

 

 

I'm updating and uploaded some additional files. Some I'm not sure about infection, others (like the images) might come in handy for whatever cleaning tool (?).

 

http://www.thespykiller.co.uk/forum/index.php?topic=1788.0

 

The attached zip contains the files which look to have been created or modified at the time of infection. I have also included some xml files which were created at the same time the next day. All this occured between 7:19am and a little after 7:30 on the 7th and 8th.

 

I have broken the files down into subfolders in an attempt to keep their original location referenced.

subfolder "pchealth-helpctr-datacoll" was c:\windows\pchealth\helpctr\datacoll

subfolder "prefetch" was c:\windows\prefetch

subfolder "pss" was c:\windows\pss

subfolder "sys32" was c:\windows\system32

subfolder "win" was c:\windows

 

Note: a .exe rpnqrdnm.exe looks suspicious (contained in the sys32 folder)

Note: All images in the win folder for the time of 6/7/06 7:26am match the images on the redirected www. antispywarebox .com and the about:blank page.

Note: Symptoms appear to be gone on my computer, I just want to make sure nothing is lurking.

Share this post


Link to post
Share on other sites

Ok, I'll go take look.

 

FYI, pre-fetch files are harmless they are nothing more than a shortcut pointing to a file and not the file itself. But I'll look at what you uploaded and check them out for ya :)

 

Cake, cookies and BBQ sound divine :D

Share this post


Link to post
Share on other sites

Per Derek's request at http://www.thespykiller.co.uk/forum/index.php?topic=1788.0

 

c:\windows\temp is empty

 

 

Contents of win.ini

 

; for 16-bit app support

[fonts]

[extensions]

[mci extensions]

[files]

[Mail]

MAPI=1

CMCDLLNAME32=mapi32.dll

CMCDLLNAME=mapi.dll

CMC=1

MAPIX=1

MAPIXVER=1.0.0.1

OLEMessaging=1

[MCI Extensions.BAK]

aif=MPEGVideo

aifc=MPEGVideo

aiff=MPEGVideo

asf=MPEGVideo

asx=MPEGVideo

au=MPEGVideo

m1v=MPEGVideo

m3u=MPEGVideo

mp2=MPEGVideo

mp2v=MPEGVideo

mp3=MPEGVideo

mpa=MPEGVideo

mpe=MPEGVideo

mpeg=MPEGVideo

mpg=MPEGVideo

mpv2=MPEGVideo

snd=MPEGVideo

wax=MPEGVideo

wm=MPEGVideo

wma=MPEGVideo

wmv=MPEGVideo

wmx=MPEGVideo

wpl=MPEGVideo

wvx=MPEGVideo

[sqlWindows]

CenturyDefaultMode=1

[AMTECH]

DefualtPrintOrView=P

MetaFile=C:\WINDOWS\TEMP\~bdr362A.wmf

 

I see the reference to the ~bdr362A.wmf

 

Looks like I get a round of making sure my clients are uptodate.

Share this post


Link to post
Share on other sites

I had experienced the same issue for the last 2 days... and two sleepless nights. Thank you CALAMITY JANE for pointing out that

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll

 

belongs to that stupid virus .

 

I have kept in on purpose in Hijackthis, just because i thought it's part of Adobe -- ADOBEpnl.dll

 

After reading your post, i removed this line, and viola -- comp. is clean. .. or so it seems:)

 

Again,

 

Thanks alot!!

 

Dima.

[email protected]

Share this post


Link to post
Share on other sites

Update! Good news! The free tool, SmitfraudFix has been updated this morning for this variant. :)

 

If you already had it, please delete the prior version SmitfraudFix folder and files and download the new version 2.57 SmitfraudFix

 

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

Share this post


Link to post
Share on other sites

Hey-

I'm really new to this stuff, so here goes. I had a Panic call from my daughter that her PC is doing a virus scan, and she can't do anything. Not even stop the process. As you can guess it is the wonderful (ha!) antispywarebox.com I think she clicked on the scan now button. I know, Big Mistake.

 

She can no longer get to her homepage, since it continues to change it back.

 

From the previous posts, I assume that if I look for the Adobepnl.dll and the metafile entry in Win.ini, I should be OK?

 

Should I also follow your procedure for the SmitfraudFix?

 

Thanks for any help.

 

Hope this was done correctly, if not please let me know.

Share this post


Link to post
Share on other sites
Sign in to follow this