Interesting bug I'm fighting here...

rathnid · #1 01-06-2005, 04:01 PM

My system is a Dell Dimension 8300 with Windows XP Pro Version 2002 Sevice Pack 1.

Okay, clicked on a site about two weeks ago (can't remember what now in the shuffle). I had all of the bells and whistles on in I.E. (Version 6.0.2800.1106.xpsp2.030422-1633) from a visit to a former site where I needed them on to download something. I hit whatever site it was and noticed some process take off in the background. After this I noticed that Symantec Norton Antivirus (enterprise edition) wouldn't "LiveUpdate" anymore, the autoprotect wouldn't come on, and it tried to run an installer every time I right clicked on any file or folder. I then noticed a bunch of suspect looking processes running in the background. It seemed to me that several systems files had been replaced or modified. The Fax service was started, some web services and ftp functions had been started. There were a couple of new items in the "Remove Programs" dialogue. One was "Multimedia Resources" or some such thing, I can't remember the other one. I uninstalled a bunch of stuff using System Mechanic. I finally reset my host file after finding some wierd settings there (such as one regarding www.dcsresearch.com).

I'm coming here after a couple of weeks of fighting whatever's on here with Spybot, Adaware, Hijack This, a Bart disk with Avast on it, and many butcherings of my registry file. My computer still boots, but will no longer connect to the internet. I know I'm still being pawned by something here. Here's a Hijack this log generated today (after restoring some values that I deleted the last time I ran it. I was trying to see if I could get the network to hook back up - even through the "bad guy" settings, and to make sure I hadn't obliterated the tracks of whatever i'm fighting here):

Logfile of HijackThis v1.99.0
Scan saved at 2:26:15 PM, on 1/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\DriveCrypt\DcrServ.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HFXP\hfxp.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\eyeJdis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft's Dud of a Browser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Á´½Ó
R3 - URLSearchHook: (no name) - {30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4E4153202020} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Realtime Audio Engine] mmrtkrnl.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Digital Patrol Update 5] C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe /autoupdate
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [hfxp] C:\Program Files\HFXP\hfxp.exe
O4 - HKCU\..\Run: [Qrbmetb] C:\WINDOWS\System32\??chost.exe
O4 - HKCU\..\Run: [Sarc] C:\Documents and Settings\tjackson\Application Data\er????.exe
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Secure Tunnel.lnk = C:\Program Files\Secure Tunnel\stunnel.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll (HKCU)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: WebWorks Help 2.0 - file://C:\Program Files\Corel\Bryce 5\Help\wwhelp2.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...a29296baabe1d6
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - file://C:\DOCUME~1\tjackson\LOCALS~1\Temp\WZS18.tmp\swicd ad.cab
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} (Axe Control) - file://C:\DOCUME~1\tjackson\LOCALS~1\Temp\WZS18.tmp\axe.c ab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O20 - AppInit_DLLs: InstallHook.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Alias Wavefront Help Server - Unknown - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Event Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Settings Manager - Unknown - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Unknown - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: DriveCrypt Service - Unknown - C:\Program Files\DriveCrypt\DcrServ.exe
O23 - Service: Gear Security Service - GEAR Software - (no file)
O23 - Service: GhostStartService - Unknown - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe (file missing)
O23 - Service: iPod Service - Unknown - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service - GFI Software Ltd. - C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: SAVRoam - Unknown - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Symantec Network Drivers Service - Unknown - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)

Thanks for any help you might add to my misguided little war here.

*Mobo* · #2 01-06-2005, 04:34 PM

Lets try Download CW Shredder:
http://www.spyware911.net/downloads/CWShredder.exe
Open and hit the ->fix tab to fix all found problems

Then:
Download TDS-3 trojan scanner from http://tds.diamondcs.com.au/index.php?page=download

Then you will need to manually update it so follow the instructions given here
http://tds.diamondcs.com.au/index.php?page=update

Now open the program, pasue until its finished its mini test then click system testing / full scan

If anything is found, right click and select delete to each when the scan completes itself.

Reboot at this time and post a fresh hijack log.

*Mobo* · #3 01-06-2005, 04:57 PM

Then:

First download reglite from here :
http://www.spyware911.net/downloads/reglite.exe

Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And hit the "go" tab
Find: "Appinit_Dlls" value on the right side
panel, DoubleClick, copy and post here
the following fields:

-Size:
-Value:

The most important thing is that you see a dll there

Paste the name of the dll here please..

Also I may be out for an hour but dont lose faith please, I think we can nuke this one as I have in the past as well.

rathnid · #4 01-06-2005, 06:17 PM

Sorry, had to actually boot myself into "work" mode for a while, looks like I won't get back to this until tomorrow morning, I will do as you say and look forward to posting the results tomorrow morning.

thanks

*Mobo* · #5 01-06-2005, 06:34 PM

All in your time my friend and take care until then..

rathnid · #6 01-08-2005, 01:36 PM

Warning! Long Post!

Okay, back in the saddle here, I'm actually on a different pc today (home) where I'm having the same problem. I did a clean install (thoroughly wiped HD to begin with) with Windows 2003 Server on an HP Vectra P4 1.8 Ghz. After booting up in clean install, I installed the following items Td3, TauScan, Ewido Security Suite, Fprot, Spybot 1.3 with Tea Timer active, Adaware, and registrar lite. I then shut the system down and installed a harddrive I believe to be infected (on purpose, I want to figure this one out) as the slave drive. I copied some modem drivers from the slave to the clean install and ran the Hardware Installer which found and installed the modem. Last time I tried this the clean install ended up infected. I suspect this is some kind of hybrid that seems to be able to co-opt existing applications and has some nasty re-install features.

Here are some of the changes as tracked by Spybot:

Before Reboot:

Resident Services (Spybot):

1/8/2005 9:24:08 AM Allowed value "Tau Monitor" (new data: "C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe") added in System Startup global entry!
1/8/2005 9:47:47 AM Allowed value "FRISK FP-Scheduler" (new data: ""C:\Program Files\FSI\F-Prot\F-Sched.exe" STARTUP") added in System Startup global entry!
1/8/2005 9:47:49 AM Allowed value "F-StopW" (new data: "C:\Program Files\FSI\F-Prot\F-StopW.EXE") added in System Startup global entry!
1/8/2005 9:48:02 AM Allowed value "FRISK FP-Scheduler" (new data: "C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP") changed in System Startup global entry!
1/8/2005 9:48:03 AM Allowed value "InstallShieldSetup" (new data: "C:\PROGRA~1\INSTAL~1\{9FD12~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{9FD12~1\reboot.ini -l0x9") added in System Startup global entry!
1/8/2005 10:34:56 AM Allowed value "3c1807pd" (new data: "C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd") added in System Startup global entry!

Spybot S&D full scan:

--- Search result list ---
Log: Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: Activity: OEWABLog.txt (Backup file, nothing done)
C:\WINDOWS\OEWABLog.txt

Log: Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup file, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: setuplog.txt (Backup file, nothing done)
C:\WINDOWS\setuplog.txt

Log: Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: Install: DtcInstall.log (Backup file, nothing done)
C:\WINDOWS\DtcInstall.log

Log: Shutdown: System32\wbem\logs\mofcomp.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\mofcomp.log

Log: Shutdown: System32\wbem\logs\setup.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\setup.log

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wbemprox.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemprox.log

Log: Shutdown: System32\wbem\logs\wmiadap.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiadap.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Internet Explorer: URL history #1 (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\Windows\CurrentVersion\Inte rnet Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

Internet Explorer: User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\User Agent!=Mozilla/4.0 (compatible; MSIE; Win32)

MS Management Console: Recent command list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer \Player\Settings\Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\ Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Player\Settings\ Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\MediaPlayer\Player\Settings \Client ID!=

MS Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Player\Settings\ Client ID!=

Windows: Drivers installation paths (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Setup\Installation Sources!=

Windows Explorer: Stream history (15 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\StreamMRU

Windows Explorer: User Assistant history IE (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (41 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-19134301-3420334847-756691673-500\Software\Microsoft\Windows\CurrentVersion\Expl orer\RecentDocs

Congratulations!: No immediate threats were found. ()

--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-05-12 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-05-12 SDHelper.dll (1.3.0.12)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

--- System information ---
Windows 2003 (Build: 3790)

--- Startup entries list ---
Located: HK_LM:Run, 3c1807pd
command: C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
file: C:\WINDOWS\SYSTEM32\3cmlink.exe
size: 73728
MD5: 0d23fae502baadf1902bf9b237aa90de

Located: HK_LM:Run, FRISK FP-Scheduler
command: C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP

Located: HK_LM:Run, F-StopW
command: C:\Program Files\FSI\F-Prot\F-StopW.EXE
file: C:\Program Files\FSI\F-Prot\F-StopW.EXE
size: 296400
MD5: bed11a16910ef235b702342a5b8be6c9

Located: HK_LM:Run, Tau Monitor
command: C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
file: C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
size: 125440
MD5: e83755b46c1dd2e54c4dc0871c854cba

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: WinLogon, crypt32chain
command: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll

--- Browser helper object list ---

--- ActiveX list ---

--- Process list ---

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 212 (1948) C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
PID: 224 (1948) C:\Program Files\FSI\F-Prot\F-Sched.exe
PID: 228 (1948) C:\Program Files\FSI\F-Prot\F-StopW.EXE
PID: 232 (1948) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 408 ( 4) \SystemRoot\System32\smss.exe
PID: 456 ( 408) csrss.exe
PID: 488 ( 408) \??\C:\WINDOWS\system32\winlogon.exe
PID: 532 ( 488) C:\WINDOWS\system32\services.exe
PID: 544 ( 488) C:\WINDOWS\system32\lsass.exe
PID: 720 ( 532) C:\WINDOWS\system32\svchost.exe
PID: 760 ( 532) C:\WINDOWS\System32\svchost.exe
PID: 780 ( 720) wmiprvse.exe
PID: 916 ( 532) svchost.exe
PID: 944 ( 532) svchost.exe
PID: 960 ( 532) C:\WINDOWS\System32\svchost.exe
PID: 1104 ( 532) C:\WINDOWS\system32\spoolsv.exe
PID: 1128 ( 532) msdtc.exe
PID: 1260 ( 532) C:\WINDOWS\System32\svchost.exe
PID: 1288 ( 532) C:\Program Files\ewido\security suite\ewidoctrl.exe
PID: 1300 ( 532) C:\Program Files\ewido\security suite\ewidoguard.exe
PID: 1384 ( 532) C:\Program Files\FSI\F-Prot\fpavupdm.exe
PID: 1424 ( 532) svchost.exe
PID: 1464 ( 532) C:\WINDOWS\System32\svchost.exe
PID: 1632 ( 532) C:\WINDOWS\system32\Dfssvc.exe
PID: 1948 (1912) C:\WINDOWS\Explorer.EXE
PID: 2764 (2700) C:\WINDOWS\SYSTEM32\3cmlink.exe
PID: 2788 (2764) C:\WINDOWS\SYSTEM32\3cshtdwn.exe
PID: 2800 (2764) C:\WINDOWS\SYSTEM32\3cmlink.exe
PID: 3088 (1948) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Spybot - Search && Destroy process list report, 1/8/2005 11:23:22 AM

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/8/2005 11:23:22 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
res://shdoclc.dll/hardAdmin.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
res://shdoclc.dll/hardAdmin.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\First Home Page
res://shdoclc.dll/hardAdmin.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC176...t/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC176...t/srchcust.htm

--- Winsock Layered Service Provider list ---

:excl: Notice the absence of Winsock Layered Service Providers before reboot.

Hijack This:

Logfile of HijackThis v1.99.0
Scan saved at 11:25:04 AM, on 1/8/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\dlz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe

Registrar Lite indicated the following:
Value name: AppInit_DLLs
No category or name listed
Type: REG_SZ
Type No.:00000001
Size: 1

After Reboot:

Spybot S&D

Resident Files:
1/8/2005 9:24:08 AM Allowed value "Tau Monitor" (new data: "C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe") added in System Startup global entry!
1/8/2005 9:47:47 AM Allowed value "FRISK FP-Scheduler" (new data: ""C:\Program Files\FSI\F-Prot\F-Sched.exe" STARTUP") added in System Startup global entry!
1/8/2005 9:47:49 AM Allowed value "F-StopW" (new data: "C:\Program Files\FSI\F-Prot\F-StopW.EXE") added in System Startup global entry!
1/8/2005 9:48:02 AM Allowed value "FRISK FP-Scheduler" (new data: "C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP") changed in System Startup global entry!
1/8/2005 9:48:03 AM Allowed value "InstallShieldSetup" (new data: "C:\PROGRA~1\INSTAL~1\{9FD12~1\setup.exe -rebootC:\PROGRA~1\INSTAL~1\{9FD12~1\reboot.ini -l0x9") added in System Startup global entry!
1/8/2005 10:34:56 AM Allowed value "3c1807pd" (new data: "C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd") added in System Startup global entry!
1/8/2005 11:28:30 AM Allowed value "First Home Page" (new data: "") deleted in Browser page!

Spybot S&D Startup Items:

--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-05-12 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-05-12 SDHelper.dll (1.3.0.12)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Located: HK_LM:Run, 3c1807pd
command: C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
file: C:\WINDOWS\SYSTEM32\3cmlink.exe
size: 73728
MD5: 0d23fae502baadf1902bf9b237aa90de

Located: HK_LM:Run, FRISK FP-Scheduler
command: C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP

Located: HK_LM:Run, F-StopW
command: C:\Program Files\FSI\F-Prot\F-StopW.EXE
file: C:\Program Files\FSI\F-Prot\F-StopW.EXE
size: 296400
MD5: bed11a16910ef235b702342a5b8be6c9

Located: HK_LM:Run, Tau Monitor
command: C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
file: C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
size: 125440
MD5: e83755b46c1dd2e54c4dc0871c854cba

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: WinLogon, crypt32chain
command: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll

Spybot S&D Uninstall Info:

--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-05-12 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-05-12 SDHelper.dll (1.3.0.12)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Ad-Aware SE Personal (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.de

(AddressBook)

Agnitum Tauscan 1.7 1.70.1414 (Agnitum Tauscan 1.7)
uninstall cmd: C:\PROGRA~1\Agnitum\TAUSCA~1.7\UNWISE.EXE C:\PROGRA~1\Agnitum\TAUSCA~1.7\INSTALL.LOG
publisher: Agnitum Ltd.
help link: http://www.agnitum.com/support/

(Branding)

CCleaner (remove only) (CCleaner)
uninstall cmd: "C:\Program Files\CCleaner\uninst.exe"

(Connection Manager)

DiamondCS TDS-3 (DiamondCS TDS-3_is1)
uninstall cmd: "C:\Program Files\TDS3\unins000.exe"
help link: http://tds.diamondcs.com.au/

(DirectAnimation)

(DirectDrawEx)

(DXM_Runtime)

ewido security suite (ewidosecuritysuite)
install location: C:\Program Files\ewido\security suite
uninstall cmd: C:\Program Files\ewido\security suite\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net

(Fontcore)

HijackThis 1.99.0 1.99.0 (HijackThis)
uninstall cmd: C:\dlz\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

hp deskjet 5600 series (hp deskjet 5600 series_Driver)
uninstall cmd: rundll32 hpzcon08.dll,VendorJettison hp deskjet 5600 series

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

(MobileOptionPack)

(MPlayer2)

(NetMeeting)

(OutlookExpress)

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Registrar Lite 2.00 (Registrar Lite 2.00)
uninstall cmd: "C:\Program Files\Registrar Lite\unwise.exe" C:\PROGRA~1\REGIST~1\INSTALL.LOG
publisher: Resplendence Software Projects Sp.
help link: http://www.resplendence.com

(SchedulingAgent)

Spybot - Search & Destroy 1.3.1 TX 1.3.1 TX (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

SpywareBlaster v3.2 3.2.0 (SpywareBlaster_is1)
uninstall cmd: "C:\Program Files\SpywareBlaster\unins000.exe"
publisher: Javacool Software LLC

F-Prot for Windows ({9FD12630-1991-46F5-8479-92DE1EAE87DA})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\setup.exe" -l0x9

Aranea Spywizard 2.0 ({DF4A87B3-1650-43E8-885C-EA16A59542EB})
version: 33554432
version (major): 2
estimated size: 6017
install date: 20050108
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /I{DF4A87B3-1650-43E8-885C-EA16A59542EB}
publisher: Visualizer Image Group
contact: Visualizer Image Group
help link: http://www.freeimagebrowser.com/forum/

:excl: Spybod S&D LSPs Note all of the new ones upon reinstall after suspected infection:

--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-05-12 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-05-12 SDHelper.dll (1.3.0.12)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{91C9A2DD-AAC9-451A-BD67-B6ABEDD01FBB}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{91C9A2DD-AAC9-451A-BD67-B6ABEDD01FBB}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{87813BE7-C73C-4AE9-B473-44A7892DC9DB}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{87813BE7-C73C-4AE9-B473-44A7892DC9DB}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{857F712B-C770-42B5-AE68-159AA4680A34}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{857F712B-C770-42B5-AE68-159AA4680A34}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5063D4C1-2A7D-4B04-902D-AB58D10DC279}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5063D4C1-2A7D-4B04-902D-AB58D10DC279}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5D4CF9F0-B134-4866-BEB5-F40527162E35}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5D4CF9F0-B134-4866-BEB5-F40527162E35}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Registrar Lite seemed to be calm and serene through all of this (I've suspected that whatever this is has been co-opting some of my programs somehow), so I ran the uninstaller for it in order to reinstall and run it. Spybot S&D came up with this when I ran the uninstaller:

Spybot - Sesarch & Destroy has encountered and terminated a process that is listed as part of a malicious software.

ProcessID: 284
Filename: unwise.exe
Found in: c:\Program Files\Registrar Lite\
Identified as: eZula HotText

Registrar Lite:

Came up with the same info as before. The "Export Data" Command gave me a blank document both times.

Current Hijack this (after reboot upon suspected infection):
Logfile of HijackThis v1.99.0
Scan saved at 12:33:21 PM, on 1/8/2005
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Registrar Lite\rl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\dlz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D4CF9F0-B134-4866-BEB5-F40527162E35}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe

I've got 3 machines sitting around lobotomized by this (and my efforts to remove some of the rogue system files) and I would appreciate any help anybody could give me here.

Thanks

*Mobo* · #7 01-08-2005, 03:08 PM

The first post is from what machine now. Is that taken care of due to reformat ?

rathnid · #8 01-08-2005, 03:26 PM

The first machine that I posted two days ago wouldn't boot at all yesterday and I don't have access to it today. I've noticed a similar phenom on my PCs at home (after swapping some disks back and forth - of course) and so I started today's activity on a different box just to try to track it under more controlled cir****tances. Today's postings are from a different machine - but I think it's all the same bug.

Thanks

rathnid · #9 01-08-2005, 03:33 PM

Another couple of things I've noticed on all of the machines involved (at least 4 at this point) are the introduction of the "Ctor.dll" into a lot of registry entries, and the creation of many, many "desktop.ini" files. This has been common across all machines.

*Mobo* · #10 01-08-2005, 03:35 PM

click here and download findit.zip: http://www.spyware911.net/downloads/FindIt.zip

Unzip it and double-click on Find.bat to run it. It should run for a few seconds, then open Output.txt file. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.