Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32 trojan [CLOSED]


  • Please log in to reply

#31
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Wow! What do you need me for? :tazz:

Your log is not showing any problems. Tell me what's happening on your end.
  • 0

Advertisements


#32
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
ill post my avast event log
whats happening is im getting a alert from avast saying win32start page has been found in m.bin file
if i stop avast protection(or if i dont delete or move to chest when it prompts me)
i will then start getting the *.*.dll files being installed and then it seems those ones will let search assistant to be installed and so on.

also i have what i thought to be a seperate issue but ill let you know anyways
i have a windows file its named "CAX0Y5DZ." i am not able to delete this file NO MATTER WHAT I DO if i look at its properties it has 0 bytes it appears to have no values at all. from what research i have found the only way to remove it is by doing a complete reinstall of windows, which i dont want to do
so i dont know if this letting this trojan to be installed on my computer or not

also it will only happen if i am connected to the internet

so heres my avast log


8/15/2005 2:29:29 AM SYSTEM 1272 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\C5QVOP6R\m[1].bin" file.
8/15/2005 6:29:25 PM SYSTEM 1640 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GXA7OBU3\m[1].bin" file.
8/16/2005 7:46:43 AM SYSTEM 1640 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/17/2005 2:29:14 AM SYSTEM 1616 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BHWI1HT3\m[1].bin" file.
8/17/2005 11:51:33 AM SYSTEM 1616 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/19/2005 3:52:32 PM SYSTEM 1616 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/21/2005 1:52:27 PM SYSTEM 1616 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/22/2005 3:19:59 PM SYSTEM 1616 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/23/2005 6:25:12 PM SYSTEM 1616 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/24/2005 9:19:37 PM SYSTEM 1616 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/25/2005 10:58:36 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/27/2005 7:45:59 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/28/2005 8:12:00 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/28/2005 5:27:09 PM SYSTEM 1524 Sign of "VBS:Malware [Script]" has been found in "http://pages.ebay.com/realestate/land.html\PxBC5F" file.
8/28/2005 5:27:18 PM SYSTEM 1524 Sign of "VBS:Malware [Script]" has been found in "http://pages.ebay.com/realestate/land.html\PxBC60" file.
8/28/2005 9:52:34 PM SYSTEM 1524 Sign of "VBS:Malware [Script]" has been found in "http://pages.ebay.com/realestate/land.html\PxBE4F" file.
8/29/2005 1:34:11 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
8/30/2005 6:29:13 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SHULNSWS\m[1].bin" file.
8/30/2005 7:28:42 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/1/2005 6:53:26 AM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\WINDOWS\TEMP\se.dll" file.
9/1/2005 7:35:27 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\ehl.dll" file.
9/1/2005 7:35:31 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\ehl.dll" file.
9/1/2005 7:35:35 AM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/1/2005 7:35:37 AM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/1/2005 2:47:05 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\ehl.dll" file.
9/1/2005 2:47:08 PM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/1/2005 2:47:18 PM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/1/2005 5:32:29 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\ehl.dll" file.
9/1/2005 5:32:35 PM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/1/2005 5:32:38 PM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\KEVIN\LOCALS~1\TEMP\SE.DLL" file.
9/1/2005 7:01:44 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\ehl.dll" file.
9/1/2005 7:01:54 PM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/2/2005 10:12:47 AM SYSTEM 1076 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/3/2005 4:40:30 PM SYSTEM 1076 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/4/2005 5:43:01 PM SYSTEM 1076 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/5/2005 9:10:50 AM SYSTEM 1076 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\WINDOWS\TEMP\se.dll" file.
9/5/2005 2:55:38 PM SYSTEM 1076 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\lknfa.dll" file.
9/5/2005 6:23:50 PM SYSTEM 608 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/6/2005 10:29:13 AM SYSTEM 608 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\42ZIFG8I\m[1].bin" file.
9/6/2005 6:55:28 PM SYSTEM 608 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/6/2005 7:16:24 PM SYSTEM 608 Sign of "VBS:Malware [Script]" has been found in "http://82.179.166.2/...Sh8B5bJUuRa8s3" file.
9/7/2005 7:48:58 PM SYSTEM 1432 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/7/2005 8:10:20 PM SYSTEM 1432 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/9/2005 12:29:13 PM SYSTEM 1512 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/9/2005 1:14:16 PM SYSTEM 1520 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\WINDOWS\TEMP\SE.DLL" file.
9/9/2005 1:14:30 PM SYSTEM 1520 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\windows\system32\jhlfba.dll" file.
9/10/2005 12:31:27 PM SYSTEM 1436 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/10/2005 2:29:18 PM SYSTEM 1436 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HJHGLVBM\m[1].bin" file.
9/11/2005 3:13:17 PM SYSTEM 2032 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/11/2005 8:33:02 PM SYSTEM 2032 Sign of "Win32:CTX" has been found in "http://www.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file.
9/11/2005 8:34:00 PM SYSTEM 2032 Sign of "Win32:CTX" has been found in "http://www.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file.
9/12/2005 3:28:56 PM SYSTEM 2032 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/13/2005 5:27:06 PM SYSTEM 2032 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/14/2005 2:29:17 AM SYSTEM 1544 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\42ZIFG8I\m[1].bin" file.
9/14/2005 12:51:37 PM SYSTEM 1544 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/15/2005 7:30:42 PM SYSTEM 1544 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/15/2005 7:48:56 PM SYSTEM 1544 Sign of "Win32:CTX" has been found in "http://www.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file.
9/15/2005 7:49:42 PM SYSTEM 1544 Sign of "Win32:CTX" has been found in "http://www.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file.
9/17/2005 10:17:49 AM SYSTEM 1544 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/19/2005 7:54:24 AM SYSTEM 1544 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/20/2005 12:22:10 PM SYSTEM 1544 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/24/2005 4:17:33 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/24/2005 6:29:21 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HJHGLVBM\m[1].bin" file.
9/24/2005 10:22:00 PM SYSTEM 1524 Sign of "Win32:Pacim-B [Adw]" has been found in "http://www.pacimedia...l/pcs_0002.exe" file.
9/25/2005 6:24:06 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/25/2005 10:29:17 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BHWI1HT3\m[1].bin" file.
9/26/2005 7:38:53 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/26/2005 10:29:18 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SHULNSWS\m[1].bin" file.
9/27/2005 5:13:42 PM SYSTEM 1524 Sign of "Win32:Pacim-B [Adw]" has been found in "http://www.pacimedia...l/pcs_0002.exe" file.
9/27/2005 8:03:14 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.
9/27/2005 11:35:36 PM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\WINDOWS\TEMP\se.dll" file.
9/28/2005 8:54:10 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\hlcklbc.dll" file.
9/28/2005 8:54:18 AM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/28/2005 9:45:02 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\SYSTEM32\hlcklbc.dll" file.
9/28/2005 11:52:17 AM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\hlcklbc.dll" file.
9/28/2005 11:52:20 AM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/28/2005 11:52:23 AM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/28/2005 1:02:40 PM SYSTEM 1524 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\hlcklbc.dll" file.
9/28/2005 1:02:53 PM SYSTEM 1524 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
9/28/2005 1:03:23 PM Kevin 3532 Sign of "Win32:StartPage-080 [Trj]" has been found in "c:\windows\system32\hlcklbc.dll" file.
9/28/2005 1:03:52 PM Kevin 3532 Sign of "Win32:StartPage-080 [Trj]" has been found in "c:\windows\system32\hlcklbc.dll" file.
9/28/2005 9:28:31 PM SYSTEM 616 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP594\A0052637.dll" file.
9/30/2005 5:28:31 PM SYSTEM 616 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP594\A0052637.dll" file.
10/2/2005 12:18:41 PM SYSTEM 1256 Sign of "Win32:StartPage-080 [Trj]" has been found in "C:\WINDOWS\system32\olocoba.dll" file.
10/2/2005 12:18:53 PM SYSTEM 1256 Sign of "Win32:StartPage-076 [Trj]" has been found in "C:\DOCUME~1\Kevin\LOCALS~1\Temp\se.dll" file.
10/2/2005 5:33:25 PM SYSTEM 1740 Sign of "Win32:Pacim-B [Adw]" has been found in "http://www.pacimedia...l/pcs_0002.exe" file.
10/2/2005 5:42:06 PM SYSTEM 1740 Sign of "Win32:CTX" has been found in "http://www.pandasoftware.com/activescan/as5free/motor.cab\pskavs.DLL" file.
10/3/2005 12:15:48 PM SYSTEM 1740 Sign of "Win32:StartPage-080 [Trj]" has been found in "http://66.98.144.29/m.bin" file.


thanks agian
  • 0

#33
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
hello agian
i ran a different online scan, howeer it didnt clean my infected files
so heres the log it created


Scan started at 10/5/2005 7:23:01 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2D4R23IV\m[3].bin - Trojan:Win32/StartPage.UZ -> Infected
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6J8LGNIP\m[2].bin - Trojan:Win32/StartPage.UZ -> Infected
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9S1UTKF\m[3].bin - Trojan:Win32/StartPage.UZ -> Infected
C:\Program Files\WinRAR\Uninstall.exe - Backdoor:Win32/Poebot.E -> Suspicious
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052718.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052719.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052720.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052721.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052722.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052723.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052724.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052725.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052726.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\WINDOWS\SYSTEM32\egkhi.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\WINDOWS\SYSTEM32\jmn.dll - Trojan:Win32/StartPage.UZ -> Infected
C:\WINDOWS\SYSTEM32\pnfjgoo.dll - Trojan:Win32/StartPage.UZ -> Infected

Scanned
============================
Objects: 52454
Directories: 4245
Archives: 2743
Size(Kb): -2025484
Infected files: 15

Found
============================
Viruses found: 1
Suspicious files: 1
Disinfected files: 0
Mail files: 128


im curious about this string
C:\Program Files\WinRAR\Uninstall.exe - Backdoor:Win32/Poebot.E -> Suspicious

well im not going to delete anything yet because maybe youll have a special procedure to remove these files or whatever

thanks for your help agian
  • 0

#34
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I need to get a couple more logs from you so I can make sure to see them all. Then we're going to get rid of the thing for you.



Please download DLLCompare

*Save it to your desktop and run it.
*Click 'Run Locate.com'to scan.
*When the scan has completed, click 'Compare'.
*When completed, click "Make a Log of What Was Found".
*Please Copy/Paste the entire contents of the logfile to this thread.

Note: If you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.


=============


Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
  • 0

#35
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
heres the f- secure log
it only found this one file
sqlohop.dll


and this is what dllcompare found

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\sqlohop.dll Wed Jan 12 2005 2:00:22a A...R 57,344 56.00 K
________________________________________________

1,401 items found: 1,401 files, 0 directories.
Total of file sizes: 314,517,197 bytes 299.95 M

Administrator Account = True

--------------------End log---------------------
  • 0

#36
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
10/05/05 21:41:10 [Info]: BlackLight Engine 1.0.23 initialized
10/05/05 21:41:10 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/05/05 21:41:10 [Note]: 4019 4
10/05/05 21:41:10 [Note]: 4005 0
10/05/05 21:41:12 [Note]: 4006 0
10/05/05 21:41:12 [Note]: 4011 1772
10/05/05 21:41:12 [Note]: FSRAW library version 1.7.1011
10/05/05 21:41:55 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\sqlohop.dll
10/05/05 21:41:55 [Note]: 4002 0
10/05/05 21:41:55 [Note]: 4003 1
10/05/05 21:41:55 [Note]: 10002 1
10/05/05 21:43:22 [Note]: 4007 0


this is the other log
  • 0

#37
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Select this file in blacklite and choose rename:

C:\WINDOWS\SYSTEM32\sqlohop.dll

The tool will ask if you want to reboot (restart) choose yes.


Run both of those scans(blacklight and DLL Compare) again and post both logs.
  • 0

#38
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
the same file is still there

here are the posts

10/06/05 12:43:16 [Info]: BlackLight Engine 1.0.23 initialized
10/06/05 12:43:16 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/06/05 12:43:16 [Note]: 4019 4
10/06/05 12:43:16 [Note]: 4005 0
10/06/05 12:43:19 [Note]: 4006 0
10/06/05 12:43:19 [Note]: 4011 1772
10/06/05 12:43:20 [Note]: FSRAW library version 1.7.1011
10/06/05 12:44:02 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\sqlohop.dll
10/06/05 12:44:02 [Note]: 4002 0
10/06/05 12:44:02 [Note]: 4003 1
10/06/05 12:44:02 [Note]: 10002 1
10/06/05 12:44:53 [Note]: 4007 0




* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\sqlohop.dll Wed Jan 12 2005 2:00:22a A...R 57,344 56.00 K
________________________________________________

1,401 items found: 1,401 files, 0 directories.
Total of file sizes: 314,517,197 bytes 299.95 M

Administrator Account = True

--------------------End log---------------------
  • 0

#39
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Place a checkmark next to "Use dummy".
Copy and paste the following file to the field labeled "Full path of file to delete"

C:\WINDOWS\SYSTEM32\sqlohop.dll

Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.



Please post a new DLL Compare log.
  • 0

#40
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
hello

i ran kill box but after i clicked reboot now it was searching for reg entries and it poped up this message
"PendingFileRename operations Registry data has been removed by external process"

so i still have the C:\WINDOWS\SYSTEM32\sqlohop.dll
i did a reboot anyways and it was still there

thanks
  • 0

Advertisements


#41
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
i swore i just posted what i found but i dontn see it here

so anyways ill say it agian

i ran killbox and after it prompted me to reboot, it started to search for reg entries and then it poped up this message
pendingfilerename operations registry data has been removed by external process

so nothing happened and then i rebooted manually but i still have the
C:\WINDOWS\SYSTEM32\sqlohop.dll file after runing dll compare

i think i mentioned this last time we tried this, but i dont see this file in my sys32 folder(i do have show hidden files checked)

thanks
  • 0

#42
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm beginning to get an idea of what we're dealing with here and even with hidden files showing you won't be able to see it. This is going to be a long fix. But even if it doesn't work we will be able to see when the file recreates itself. Please read these instructions carefully before you begin.

Print out these instructions and reboot your computer into Safe mode. Make sure you are not connected to the Internet.


Delete your temp files
  • Navigate to the C:\Windows\Temp folder.
    • Open the Temp folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Navigate to the C:\Windows\Prefetch folder.
    • Open the Prefetch folder
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Run and type %temp% in the Run box.
    • Select Edit -> Select All
    • Select Edit -> Delete(or press the delete button on your keyboard) to delete the entire contents of the Temp folder.
  • Click Start -> Control Panel -> Internet Options.
    • Select the General tab
    • Under "Temporary Internet Files" Click "Delete Files".
    • Put a check by "Delete Offline Content" and click OK.
    • Click on the Programs tab then click the "Reset Web Settings" button.
    • Click Apply then OK.
  • Empty the Recycle Bin.

===========


Run a full scan with Ewido and save the log to post in your next reply.


===========


Run Blacklight again, select this file and choose rename.

C:\WINDOWS\SYSTEM32\sqlohop.dll

Don't reboot yet!


===========


Run Killbox place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\SYSTEM32\sqlohop.dll
C:\WINDOWS\SYSTEM32\sqlohop.dll.ren

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the second file name, at which time you should answer Yes.

If your computer does not restart automatically, please restart it manually.


===========


Don't let your computer boot back into normal mode yet, reboot into Safe mode again.

Please run another scan with Ewido in Safe mode. Save the log as log#2 and post it also in your next reply.

While still in Safe mode run DLL Compare and save the log to post in your next reply.


===========


Finally reboot back into normal mode and run DLL Compare one more time. Please save that log also and post in your next reply.

So in your next post I need to see logs from both Ewido scans, the DLL Compare log from Safe mode, and the DLL Compare log immediately upon returning to normal mode.
  • 0

#43
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
hello

so i had some issues
i completed the first edwido scan

but when i ran backlight it would not run in safe mode
so i moved on and ran dllcompare to see if the file was still there which it was
i then ran killbox and put the two files c:~sqlohop.dll and sqlohop.dll.ren
but after i clicked reboot it did the same thing as before by searching the reg entries and then popping up a message saying
pendingfilerename operations registry data has been removed by external process

i then rebooted so heres the edwido scan anyways

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:15:13 PM, 10/7/2005
+ Report-Checksum: C39FDED4

+ Scan result:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2D4R23IV\m[3].bin -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6J8LGNIP\m[2].bin -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9S1UTKF\m[3].bin -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052718.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052719.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052720.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052721.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052722.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052723.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052724.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052725.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP601\A0052726.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\dehchc.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\egkhi.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\jmn.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\pnfjgoo.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End


adn this was the dll compare log which is the same as the others

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\sqlohop.dll Wed Jan 12 2005 2:00:22a A...R 57,344 56.00 K
________________________________________________

1,398 items found: 1,398 files, 0 directories.
Total of file sizes: 314,468,045 bytes 299.90 M

Administrator Account = True

--------------------End log---------------------


thanks
  • 0

#44
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I was hopeful that blacklight would do it's thing in safe mode.

I want you to peform those same steps but start with blacklight and Killbox in normal mode. Then when you reboot only go back into Safe mode and follow the rest of the steps from there.

BTW, it's ok when you get that error from Killbox. It just means that you have to reboot manually.

Let me know how it goes.
  • 0

#45
kevlar061481

kevlar061481

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
ok
so i used backlight then ran killbox and put the two file names in there and it restarted like it should i booted into safe mode and ran edwido then ran dllcompare
which still had the same file in it

so here are the log files

thanks sam

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:57:17 PM, 10/7/2005
+ Report-Checksum: 2A15373F

+ Scan result:

C:\Documents and Settings\Kevin\Cookies\kevin@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Kevin\Cookies\kevin@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0053008.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0053009.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0053010.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP606\A0053011.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\sqlohop.dll Wed Jan 12 2005 2:00:22a A...R 57,344 56.00 K
________________________________________________

1,398 items found: 1,398 files, 0 directories.
Total of file sizes: 314,468,045 bytes 299.90 M

Administrator Account = True

--------------------End log---------------------


this is log 2 after booting normally
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\sqlohop.dll Wed Jan 12 2005 2:00:22a A...R 57,344 56.00 K
________________________________________________

1,398 items found: 1,398 files, 0 directories.
Total of file sizes: 314,468,045 bytes 299.90 M

Administrator Account = True

--------------------End log---------------------
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP