Seriously, I've grown fond of B&D. Take good care of him.
[resolved] Hijackthis
Started by
brokeanddumb
, Dec 15 2004 07:43 PM
#46
Posted 29 December 2004 - 03:53 PM
Seriously, I've grown fond of B&D. Take good care of him.
#47
Posted 29 December 2004 - 08:20 PM
Thank you so much! I appreciate all the time you've given this mess.
#48
Posted 29 December 2004 - 08:27 PM
Ok, here's what they say.....
Scanned file: kokovi.exe
kokovi.exe - packed with ASPack
kokovi.exe - infected by Trojan-Downloader.Win32.Qoologic.e
Scanned file: kokovi.exe
kokovi.exe - packed with ASPack
kokovi.exe - infected by Trojan-Downloader.Win32.Qoologic.e
#49
Posted 30 December 2004 - 03:40 AM
Ok, here's what they say.....
Scanned file: kokovi.exe
kokovi.exe - packed with ASPack
kokovi.exe - infected by Trojan-Downloader.Win32.Qoologic.e
I love it when I'm right.
Copy & paste post nr 40 in this thread and you'll see what I mean.
We'll need a different version of FindIt
http://castlecops.co...It NT-2K-XP.zip
The procedure is the same.
Let's see the log.
Regards,
Pieter
#50
Posted 30 December 2004 - 08:28 AM
I love it when you're right, too!! LOL, but the first part of your message was all Greek to me. Here's the new log,
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\Tim Haferman\Desktop\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
12/29/2004 12:10 PM 9,216 Thumbs.db
11/13/2004 10:34 PM <DIR> DLLCACHE
01/09/2003 06:16 PM <DIR> Microsoft
06/07/2002 12:11 PM 260,608 IgorCDBurn.asp
05/04/2002 05:51 PM 99 IgorCDBurn.vkf
3 File(s) 269,923 bytes
2 Dir(s) 32,173,928,448 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
12/29/2004 12:10 PM 9,216 Thumbs.db
11/13/2004 10:34 PM <DIR> DLLCACHE
09/03/2002 08:57 AM 488 WindowsLogon.manifest
09/03/2002 08:57 AM 488 logonui.exe.manifest
09/03/2002 08:57 AM 749 cdplayer.exe.manifest
09/03/2002 08:57 AM 749 ncpa.cpl.manifest
09/03/2002 08:57 AM 749 nwc.cpl.manifest
09/03/2002 08:57 AM 749 sapi.cpl.manifest
09/03/2002 08:57 AM 749 wuaucpl.cpl.manifest
06/07/2002 12:11 PM 260,608 IgorCDBurn.asp
05/04/2002 05:51 PM 99 IgorCDBurn.vkf
10 File(s) 274,644 bytes
1 Dir(s) 32,173,924,352 bytes free
---------- Files Named "Guard" -------------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
--------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM32\auauio.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\pzpzlw.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\qmqmlz.exe: updates.qoologic.com
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\SYSTEM32\kokovi.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vyvywa.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\npnpku.exe: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"freesurfer"="C:\\Program Files\\Free Surfer\\fs20.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"Narrator"="C:\\WINDOWS\\system32\\kokovi.exe"
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat is running from: C:\Documents and Settings\Tim Haferman\Desktop\Find It NT-2K-XP
------- System Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
12/29/2004 12:10 PM 9,216 Thumbs.db
11/13/2004 10:34 PM <DIR> DLLCACHE
01/09/2003 06:16 PM <DIR> Microsoft
06/07/2002 12:11 PM 260,608 IgorCDBurn.asp
05/04/2002 05:51 PM 99 IgorCDBurn.vkf
3 File(s) 269,923 bytes
2 Dir(s) 32,173,928,448 bytes free
------- Hidden Files in System32 Directory -------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
12/29/2004 12:10 PM 9,216 Thumbs.db
11/13/2004 10:34 PM <DIR> DLLCACHE
09/03/2002 08:57 AM 488 WindowsLogon.manifest
09/03/2002 08:57 AM 488 logonui.exe.manifest
09/03/2002 08:57 AM 749 cdplayer.exe.manifest
09/03/2002 08:57 AM 749 ncpa.cpl.manifest
09/03/2002 08:57 AM 749 nwc.cpl.manifest
09/03/2002 08:57 AM 749 sapi.cpl.manifest
09/03/2002 08:57 AM 749 wuaucpl.cpl.manifest
06/07/2002 12:11 PM 260,608 IgorCDBurn.asp
05/04/2002 05:51 PM 99 IgorCDBurn.vkf
10 File(s) 274,644 bytes
1 Dir(s) 32,173,924,352 bytes free
---------- Files Named "Guard" -------------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
--------- Temp Files in System32 Directory --------
Volume in drive C has no label.
Volume Serial Number is 1CE6-03E3
Directory of C:\WINDOWS\System32
---------------- User Agent ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
------------ Keys Under Notify ------------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
------------------ Locate.com Results ------------------
C:\WINDOWS\SYSTEM32\auauio.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\pzpzlw.dll: updates.qoologic.com
C:\WINDOWS\SYSTEM32\qmqmlz.exe: updates.qoologic.com
-------------- Strings.exe Aspack Results -------------
C:\WINDOWS\SYSTEM32\kokovi.exe: .aspack
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack
C:\WINDOWS\SYSTEM32\vyvywa.dat: .aspack
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\npnpku.exe: .aspack
----------------- HKLM Run Key ------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"freesurfer"="C:\\Program Files\\Free Surfer\\fs20.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"MediaFace Integration"="C:\\Program Files\\Fellowes\\MediaFACE 4.0\\SetHook.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"Narrator"="C:\\WINDOWS\\system32\\kokovi.exe"
#51
Posted 30 December 2004 - 12:01 PM
Download and unzip:
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
C:\WINDOWS\SYSTEM32\auauio.dll
C:\WINDOWS\SYSTEM32\pzpzlw.dll
C:\WINDOWS\SYSTEM32\qmqmlz.exe
C:\WINDOWS\SYSTEM32\vyvywa.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\npnpku.exe
C:\WINDOWS\SYSTEM32\kokovi.exe <= do this one last
After the reboot post a new HijackThis log
Regards,
Pieter
http://www.downloads...org/KillBox.zip
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
C:\WINDOWS\SYSTEM32\auauio.dll
C:\WINDOWS\SYSTEM32\pzpzlw.dll
C:\WINDOWS\SYSTEM32\qmqmlz.exe
C:\WINDOWS\SYSTEM32\vyvywa.dat
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\npnpku.exe
C:\WINDOWS\SYSTEM32\kokovi.exe <= do this one last
After the reboot post a new HijackThis log
Regards,
Pieter
#52
Posted 30 December 2004 - 12:38 PM
Ok, everything seemed to go smoothly. Here's the new log. Thanks!
Logfile of HijackThis v1.99.0
Scan saved at 12:38:25 PM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\unzipped\hijackthis\HijackThis.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\kokovi.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: strings.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C0FB0B4-F511-4F69-BE36-305D5C049380}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
Logfile of HijackThis v1.99.0
Scan saved at 12:38:25 PM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\unzipped\hijackthis\HijackThis.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\kokovi.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: strings.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: High Stakes Poker by pogo - http://game5.pogo.co...r-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.co...s-ob-assets.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C0FB0B4-F511-4F69-BE36-305D5C049380}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
#53
Posted 30 December 2004 - 01:28 PM
Success at last.
You can tell the trojan was disabled since it can no longer hide it's startup.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\kokovi.exe
O4 - Global Startup: strings.exe
Reboot and you should be fine.
Regards,
Pieter
You can tell the trojan was disabled since it can no longer hide it's startup.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\kokovi.exe
O4 - Global Startup: strings.exe
Reboot and you should be fine.
Regards,
Pieter
#54
Posted 30 December 2004 - 01:41 PM
You're the GREATEST! Thanks so much! I'd take ya to the local gin mill for a beverage of your choice if I could, lol. Happy New Year and thanks again to you and CW.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users