Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

CoolWWWSearch, Guard.tmp, Umonitor

Started by dasace , Jan 08 2005 03:00 AM

  • This topic is locked This topic is locked

#16
dasace
Posted 09 January 2005 - 12:17 AM

dasace

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Awesome, everything seems to be running fine. Incredibly appreciate your help! Sites like this make the web what it is.

On another note for everyone:
Since it was Azerous Bit Torrent that apprently got me into this mess, what is your opinion on BT? It seems like a nice technology, but is it safe to run?

AL
  • 0

Advertisements

#17
Metallica
Posted 09 January 2005 - 04:00 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I have helped a lot of people get rid of CWS and VX2 that never even heard of BT, so dumping it will not make you safe.

Have to admit I had to look it up too. All filesharers come with a risk, since it all comes down to letting people snoop on your computer. However well restricted, others are going to look for and find holes in it.

Safe Surfing,

Pieter

PS Thanks for the file. I'm going to torture it and reply to your mail what I find out.
:tazz:

Edited by Metallica, 09 January 2005 - 05:09 AM.

  • 0

#18
ph0enix2005
Posted 20 January 2005 - 08:31 AM

ph0enix2005

    New Member

  • Member
  • Pip
  • 7 posts
This one is a real PITA. I'm having the exact same problem on a friend's laptop. I've tried everything that I normally do to remove spyware and nothing works. I temporarily removed rundll32.exe from the System32/dllcache folders so all the crap doesn't start when the systems boots but other things run now at startup. It looks like files with random names get created (both EXE and DLL) on boot, then when I go into safe mode to delete them they're gone. Forget Spybot and AdAware - they do absolutely nothing for this pest. I'm losing my mind.
  • 0

#19
ph0enix2005
Posted 20 January 2005 - 09:48 AM

ph0enix2005

    New Member

  • Member
  • Pip
  • 7 posts
After a day of f*cking with it I'm ready to back up user data and format the d*** thing. c:\windows\system32\wygqqr.exe and c:\windows\system32\guard.tmp get recreated every time I restart Windows no matter what I do. I've deleted all temp folders a bunch of times and it's just not getting better.
  • 0

#20
-=jonnyrotten=-
Posted 20 January 2005 - 01:43 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Welcome to Geeks to Go phoenix2005,

Please read this post: http://www.geekstogo...?showtopic=2852

And post your log here:
http://www.geekstogo...hp?showforum=37
  • Download

    finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into the same post as the Hijack This log.
-=jonnyrotten=- :tazz:
  • 0

#21
ph0enix2005
Posted 21 January 2005 - 08:36 AM

ph0enix2005

    New Member

  • Member
  • Pip
  • 7 posts

Welcome to Geeks to Go phoenix2005,

Please read this post: http://www.geekstogo...?showtopic=2852

And post your log here:
http://www.geekstogo...s_Logs-f37.html

  • Download

    finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into the same post as the Hijack This log.
-=jonnyrotten=- :tazz:

View Post



Thanks for the offer! ...I think I finally got it under control. I ended up removing all permissions from the two above mentioned files so they wouldn't be able to run at startup. After that I installed the Microsoft (Giant really) AntiSpyware application and ran it. It found a bunch of stuff that AdAware and Spybot didn't catch. I'm running the find.bat utility right now and I'll post the log when I'm finished anyway.

Thanks again!
  • 0

#22
ph0enix2005
Posted 21 January 2005 - 09:13 AM

ph0enix2005

    New Member

  • Member
  • Pip
  • 7 posts
Here goes output.txt:

[code=auto:0]
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\jacks\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4C4A-A266

Directory of C:\WINDOWS\System32

01/21/2005 08:38 AM <DIR> dllcache
03/30/2003 10:28 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 3,587,588,096 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 4C4A-A266

Directory of C:\WINDOWS\System32

01/21/2005 08:38 AM <DIR> dllcache
01/19/2005 09:19 AM 488 logonui.exe.manifest
01/19/2005 09:19 AM 488 WindowsLogon.manifest
01/19/2005 09:19 AM 749 wuaucpl.cpl.manifest
01/19/2005 09:19 AM 749 sapi.cpl.manifest
01/19/2005 09:19 AM 749 cdplayer.exe.manifest
01/19/2005 09:19 AM 749 nwc.cpl.manifest
01/19/2005 09:19 AM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 3,587,588,096 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 4C4A-A266

Directory of C:\WINDOWS\System32

01/20/2005 02:24 PM 5 guard.tmp
1 File(s) 5 bytes
0 Dir(s) 3,587,584,000 bytes free

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 4C4A-A266

Directory of C:\WINDOWS\System32

01/20/2005 02:24 PM 5 guard.tmp
08/18/2001 07:00 AM 2,577 CONFIG.TMP
2 File(s) 2,582 bytes
0 Dir(s) 3,587,584,000 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{73BF820A-BF7F-4E56-9222-005FB4BE1431}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\irp0l57m1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINDOWS\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
cdplay~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K
logonu~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K
ncpacp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K
nwccpl~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K
sapicp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K
window~1.man Wed Jan 19 2005 9:19:32a A..HR 488 0.48 K
wuaucp~1.man Wed Jan 19 2005 9:19:06a A..HR 749 0.73 K

7 items found: 7 files, 0 directories.
Total of file sizes: 4,721 bytes 4.61 K

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\eznssb.dll: updates.qoologic.com
C:\WINDOWS\system32\hpaxxw.exe: updates.qoologic.com

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


CODE]
  • 0

#23
ph0enix2005
Posted 21 January 2005 - 09:16 AM

ph0enix2005

    New Member

  • Member
  • Pip
  • 7 posts
How do I edit a post. I made a boo-boo with the CODE tags that I'd like to fix.
  • 0

#24
-=jonnyrotten=-
Posted 21 January 2005 - 02:47 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You still have a small trace of VX2 in your system, but I really need you to post your log in the Hijack This logs/Malware Removal forum, and not in this post that is already started.

-=jonnyrotten=- :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP