Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help... Looks clean, but it won't DIE. [RESOLVED]


  • This topic is locked This topic is locked

#31
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Here's what I have done while I have been away.

REPORT ONE
Followed your last command. On reboot, Ewido would not load (little red X in the tray) and Explorer.exe locked up. Had to reboot.

REPORT TWO
Rebooted ok. Ran Ewido again, first running the memory scan (clean) and then the file scan. Here is the file scan report:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:29:23 PM, 6/16/2005
+ Report-Checksum: 69ADB73C

+ Date of database: 6/16/2005
+ Version of scan engine: v3.0

+ Duration: 15 min
+ Scanned Files: 42178
+ Speed: 44.09 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\!Submit\drv2cltr.dll -> TrojanSpy.Agent.am -> Cleaned with backup
C:\Documents and Settings\RADBXD\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\RADBXD0\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\RADBXD0\Cookies\radbxd0@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINNT\system32\drv2cltr.dll -> TrojanSpy.Agent.am -> Cleaned with backup


::Report End


So Ewido found drv2cltr.dll again. (I think I must have hit !Submit from within KillBox to create that copy. Really, I'm not an idiot, I just play one on the internet.)

After this report, rather than come right back into IE to post a report, I wanted to give KillBox another shot at the files.

Using KillBox, I killed all of the following, one at a time.

C:\DOCUME~1\RADBXD0\LOCALS~1\Temp\InfoWindow.dll
C:\WINNT\system32\loihz.dll
C:\WINNT\System32\WBEM\WBEMSTUB.DLL
C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\drv2cltr.dll
C:\WINNT\system32\loadctr.exe/data0006
C:\WINNT\system32\loadctr.exe
C:\WINNT\system32\rdsndin.exe

On entering the last file, I told KillBox to reboot. Once again I got the PendingFileRename warning. This time I hit 'OK.'

However, I noticed that KillBox did not go on to automatically reboot. I manually selected reboot.

I ran Ewido again (memory then files). Basically I am hoping for at least a semblance of a clean bill of health before I report back.

Here is the latest Ewido report:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:31:04 PM, 6/16/2005
+ Report-Checksum: 61122B94

+ Date of database: 6/16/2005
+ Version of scan engine: v3.0

+ Duration: 16 min
+ Scanned Files: 42182
+ Speed: 42.57 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
No infected files found!


::Report End

  • 0

Advertisements


#32
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
After performing all of the above I ran a Kaspersky scan and it came back clean.

I opened and browsed with IE for about an hour; multiple openings/restarts of IE, browsing multiple pages, trying Favorites and following through on links.

Was optimistic-- until Ewido just warned me that it had found and cleaned both of these files:

C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\rdsndin.exe

... and my Favorites have been updated again.

I've kill-boxed both of these files (and all the others) again.

But I don't really know what to do at this point since both Ewido and Kaspersky showed clean until these files suddenly popped up again.

I have never seen anything like this...

Any other ideas?
  • 0

#33
Guest_usetobe_*

Guest_usetobe_*
  • Guest
1. Download and unzip http://skads.org/special/rkfiles.zip to a folder.

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode go to the folder you unzipped rkfiles to and run rkfiles.bat. It will take a long time and it will make a log log.txt. Reboot into normal mode and post that log here in a reply.
  • 0

#34
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Just FYI, Ewido found and 'cleaned' those two files again (cisvvc.exe and rdsndin.exe) when I opened this up this morning for your latest reply. (And my Favorites were updated, of course.)

Here's the log from the batch file:

D:\BEN\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\ODBCJET.HLP: +0`3Spec2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\tsc.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished
bye


On another note-- I don't know if you normally provide support over the weekend (that's some dedicated geekness, there) but I will not be able to reply over the weekend. I can continue to post this morning but please don't close the thread if you don't hear back from me until Sunday evening.
  • 0

#35
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi,

Don't worry, the thread won't be closed until this is sorted out or we hit your PC with a mallet! and yes i'm sad and provide a service over the weekend (it keeps me away from the wife :tazz:)

Ok lets see what we can do now.

Firstly lets go get something in the registry;

Start>run> type regedit

Locate the following in the left hand box

HKey_Local_Machine_SOFTWARE_Microsoft_Windows NT_CurrentVersion_Winlogon

In the right hand box Delete the value under System. (right click system, click modify and ensure the box is empty then ok it)

Now copy and paste the following into notepad and then then carry out the killbox routine again

C:\WINNT\tsc.exe
C:\WINNT\vsapi32.dll
C:\WINNT\system32\cisvvc.exe
C:\WINNT\system32\rdsndin.exe
C:\WINNT\system32\drv2cltr.dll
C:\WINNT\system\csexv.exe
C:\WINNT\system32\csexv.exe
C:\WINNT\csexv.exe


Then reboot into Safe Mode, carry out a scan with hjt and post that log back.

Also carry out an Ewido scan in normal mode and a Kaspersky scan and let me have the results
  • 0

#36
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I'm concerned about deleting

C:\WINNT\tsc.exe
C:\WINNT\vsapi32.dll

as I believe they're legitimately installed. (This is my work computer.)

I'm going to step up and advocate for them unless you're sure they're sinister culprits...?
  • 0

#37
Guest_usetobe_*

Guest_usetobe_*
  • Guest
OK good call leave them out.
  • 0

#38
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
There was no value in the registry key you asked me to check; I performed the action anyway.

Here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 10:25:25 AM, on 6/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
D:\BEN\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe
O4 - HKLM\..\Run: [NANTSessionAgent] C:\Program Files\netOctopus Agent\nantsecc.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.###.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.###.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ###.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.###.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ###.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ###.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: netOctopus Agent - Netopia, Inc. - C:\Program Files\netOctopus Agent\Nant.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\system32\Tablet.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:00:35 AM, 6/17/2005
+ Report-Checksum: 865720AD

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 17 min
+ Scanned Files: 43085
+ Speed: 40.25 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\RADBXD0\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\RADBXD0\Cookies\radbxd0@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Friday, June 17, 2005 14:08:50
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/06/2005
Kaspersky Anti-Virus database records: 134240
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 35054
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 2252 sec

Infected Object Name - Virus Name
C:\Program Files\TightVNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b

Scan process completed.



I have to say, though, I'm not real optimistic even though these scans came back "clean."

I will post again on Sunday evening after browsing for a while.

Question: Am I any more likely to have success deleting these files from the DOS prompt than I have had with KillBox? Or do you think the deletions are working OK but something is putting the files back onto the computer?

Another question: What is this file csexv.exe you asked me to delete? I can't see that it turned up in any of the scans I've performed at your request. Is this some file you have some reason to suspect?

Sorry if I am asking too many questions, but I do like to try to understand as I go along...
  • 0

#39
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Well like you say the scans maybe deceptive and only time will tell.

No killbox should work .

The file you refer to was in silent runners log.

See you Sunday, have a good weekend.
  • 0

#40
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts

No killbox should work .

The file you refer to was in silent runners log.

See you Sunday, have a good weekend.

View Post


Well, I am back home. How about we kick this off with another Silent Runners log? I see a suspect file... I am starting to doubt I can ever clean this thing.

"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"RemoteAgent" = "C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe" ["Trend Micro Inc."]
"NANTSessionAgent" = "C:\Program Files\netOctopus Agent\nantsecc.exe" ["Netopia, Inc."]
"eabconfg.cpl" = "C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start" ["Compaq"]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office 2000\Office\" [file not found]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csrlz.exe" [null data]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\
WARNING! Either "\\na.###.com\SysVol\na.###.com\Policies\{33A2FE52-C95F-4D62-B886-8239088889C3}\User\Scripts\scripts.ini"
doesn't exist or there is insufficient permission to read it!


Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Disable changing home page settings}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "RADBXD0" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Cisco Systems VPN Client" -> shortcut to: "C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe "-run_only_if_connected" "-auto_initiation"" ["Cisco Systems, Inc."]
"TabUserW.exe" -> shortcut to: "C:\WINNT\system32\Wtablet\TabUserW.exe" ["Wacom Technology, Corp."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 12
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
netOctopus Agent, netOctopus Agent, "C:\Program Files\netOctopus Agent\Nant.exe" ["Netopia, Inc."]
OfficeScanNT Listener, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" [null data]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]
TabletService, TabletService, "C:\WINNT\system32\Tablet.exe" ["Wacom Technology, Corp."]
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" -service" ["AT&T Research Labs Cambridge"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

Advertisements


#41
Guest_usetobe_*

Guest_usetobe_*
  • Guest
This is getting annoying :tazz:

Whilst you were away inthe far east, did you change region setting by any chance?

Start>run> type regedit

Locate the following in the left hand box

HKey_Local_Machine_SOFTWARE_Microsoft_Windows NT_CurrentVersion_Winlogon

In the right hand box Delete the value under System. (right click system, click modify and ensure the box is empty then ok it)

Now copy and paste the following into notepad and then then carry out the killbox routine again

C:\WINNT\system\csrlz.exe
C:\WINNT\system32\csrlz.exe
C:\WINNT\csrlz.exe

Then reboot into normal Mode, carry out a scan with hjt and ewido and post the logs back.

Do have your 2000 installation discs?
  • 0

#42
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts

This is getting annoying :tazz:

Whilst you were away inthe far east, did you change region setting by any chance?


No, I did something far stupider. I fell for a pop-up that looked like a Windows security warning and "OK"'ed it.

Start>run> type regedit

Locate the following in the left hand box

HKey_Local_Machine_SOFTWARE_Microsoft_Windows NT_CurrentVersion_Winlogon

In the right hand box Delete the value under System. (right click system, click modify and ensure the box is empty then ok it)


Done. Again, there was no data there, but I deleted and ok'ed anyway.

Now copy and paste the following into notepad and then then carry out the killbox routine again

C:\WINNT\system\csrlz.exe
C:\WINNT\system32\csrlz.exe
C:\WINNT\csrlz.exe


Done.

Then reboot into normal Mode, carry out a scan with hjt and ewido and post the logs back.


It's working now. FYI, I'm posting from my desktop while my laptop (infected) chugs away. So I can read and reply here while Ewido works.

Do have your 2000 installation discs?

View Post


I have my own, but they're older than what was used to install 2000 on my laptop. The laptop includes SP4, I believe mine are SP3.
  • 0

#43
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:25:30 PM, 6/19/2005
+ Report-Checksum: E537DCF1

+ Date of database: 6/19/2005
+ Version of scan engine: v3.0

+ Duration: 35 min
+ Scanned Files: 109893
+ Speed: 51.07 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\RADBXD0\Cookies\radbxd0@zedo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINNT\system32\drv2cltr.dll -> TrojanSpy.Agent.am -> Cleaned with backup


::Report End
  • 0

#44
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Carry out another silent runners please

An online virus scan from the link below.

F-secure

and another ewido scan al in normal mode and if possible DO NOT switch off pc until i get to reply to you.
  • 0

#45
badaxe

badaxe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"OfficeScanNT Monitor" = ""C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"RemoteAgent" = "C:\Program Files\Trend Micro\OfficeScan Client\RAUAgent.exe" ["Trend Micro Inc."]
"NANTSessionAgent" = "C:\Program Files\netOctopus Agent\nantsecc.exe" ["Netopia, Inc."]
"eabconfg.cpl" = "C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start" ["Compaq"]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office 2000\Office\" [file not found]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csrlz.exe" [file not found]

HKCU\Software\Policies\Microsoft\Windows\System\Scripts\
"Logon" -> launches: "\\na.###.com\SysVol\na.###.com\Policies\{33A2FE52-C95F-4D62-B886-8239088889C3}\User\Scripts\Logon\###.cmd" [** WMI GetObject error **]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "radbxd0" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Cisco Systems VPN Client" -> shortcut to: "C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe "-run_only_if_connected" "-auto_initiation"" ["Cisco Systems, Inc."]
"TabUserW.exe" -> shortcut to: "C:\WINNT\system32\Wtablet\TabUserW.exe" ["Wacom Technology, Corp."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 12
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
HID Input Service, HidServ, "C:\WINNT\system32\hidserv.exe" [MS]
netOctopus Agent, netOctopus Agent, "C:\Program Files\netOctopus Agent\Nant.exe" ["Netopia, Inc."]
OfficeScanNT Listener, tmlisten, "C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" [null data]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" ["Trend Micro Inc."]
TabletService, TabletService, "C:\WINNT\system32\Tablet.exe" ["Wacom Technology, Corp."]
VNC Server, winvnc, ""C:\Program Files\TightVNC\WinVNC.exe" -service" ["AT&T Research Labs Cambridge"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

F-SECURE came back clean.

(Kaspersky came back clean when I ran it this morning, as did Ewido, Spybot and Ad-Aware.)

Running Ewido again now.

At this point I'm pretty cranky that KillBox isn't doing the job. I'm very perturbed about this "PendingFileRename Operations removed by External Process" alert. Is something undoing the "Delete on Reboot" option?

Anyhow-- Ewido update shortly.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP