Still have ssl32dr problem

[Mobo]

Sorry for the late replies, my IPS email server was down all morning and still is.

[robinsonpr]

Ok. I rebooted. I got task mgr up. I did "file/new task/explorer.exe". All that happened was that another explorer.exe appeared in the task list (the desktop did not appear). So I had 2 explorer.exe's running plus the mqsq132.exe.

So I rebooted again and tried something slightly differnt: I got up task manager and killed the existing explorer task. I then created a new one with "file/new task/explorer.exe". The desktop appeared. I then started hijack and got the list of DLLs for mqsq132.exe. It was the same as the list above.

[Mobo]

click here: http://www.spyware911.net/downloads/FindIt.zip

Unzip it and double-click on Find.bat to run it. It should run for a few seconds, then open Output.txt file. Copy and paste the contents of output.txt here. Once that's done, close the text file and then press any key and the batch file will end.

[robinsonpr]

Here's the result. Sorry for the delay in replying by the way but this is the only computer I can use to connect to the internet and sometimes I just can't get onto the site.


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D4B8-F441

Directory of C:\WINDOWS\System32

02/03/2005 21:17 68,142 Mqsq132.exe
12/02/2005 12:07 <DIR> dllcache
11/02/2005 10:51 62,976 SSL32Dr.exe
06/08/2003 20:51 <DIR> Microsoft
05/04/2001 09:43 94,208 msstkprp.dll
3 File(s) 225,326 bytes
2 Dir(s) 14,053,502,976 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D4B8-F441

Directory of C:\WINDOWS\System32

02/03/2005 21:17 68,142 Mqsq132.exe
12/02/2005 12:07 <DIR> dllcache
11/02/2005 10:51 62,976 SSL32Dr.exe
09/01/2004 01:10 <DIR> GroupPolicy
23/10/2001 15:27 488 WindowsLogon.manifest
23/10/2001 15:27 488 logonui.exe.manifest
23/10/2001 15:27 749 sapi.cpl.manifest
23/10/2001 15:27 749 nwc.cpl.manifest
23/10/2001 15:27 749 ncpa.cpl.manifest
23/10/2001 15:27 749 cdplayer.exe.manifest
23/10/2001 15:27 749 wuaucpl.cpl.manifest
9 File(s) 135,839 bytes
2 Dir(s) 14,053,494,784 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D4B8-F441

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D4B8-F441

Directory of C:\WINDOWS\System32

18/08/2001 03:00 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 14,053,494,784 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c, 00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c, 6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c, 6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c, 6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEven t"
"Logoff"="UnregisterTicketExpiredNotificationEvent "
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
mqsq132.exe Wed 2 Mar 2005 21:17:16 ..SHR 68,142 66.54 K
ssl32dr.exe Fri 11 Feb 2005 10:51:26 ..SHR 62,976 61.50 K

2 items found: 2 files, 0 directories.
Total of file sizes: 131,118 bytes 128.04 K


[Mobo]

Ok, I sought some advice from other members and here is waht i have from Spydie:

<div class='quotetop'>QUOTE</div><div class='quotemain'>Maybe RootkitReavler may help;

http://www.sysinternals.com/ntw2k/fr...itreveal.shtml

Have the user scan with and save the logfile. See what it brings up.

Also, I would simply try fixing the viral entries with Hijackthis in safe mode and rebooting back into 'normal' mode....it could work.
[/b][/quote]

So please download rootkit revealer from the above link and run it. Then when completed its scan click :file and save the log then paste it here.

[robinsonpr]

Here's the rootkit revealer results:

HKLM\SOFTWARE\Classes\webcal\URL Protocol 26/04/2004 19:30 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\MSSQLServer\MSSQLServer\up time_time_utc 06/03/2005 12:34 8 bytes Data mismatch between Windows API and raw hive data.
C:\$AttrDef 11/06/2002 22:38 2.50 KB Hidden from Windows API.
C:\$BadClus 11/06/2002 22:38 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 11/06/2002 22:38 37.25 GB Hidden from Windows API.
C:\$Bitmap 11/06/2002 22:38 1.16 MB Hidden from Windows API.
C:\$Boot 11/06/2002 22:38 8.00 KB Hidden from Windows API.
C:\$Extend 11/06/2002 22:38 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 11/06/2002 22:38 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 11/06/2002 22:38 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 11/06/2002 22:38 0 bytes Hidden from Windows API.
C:\$LogFile 11/06/2002 22:38 64.00 MB Hidden from Windows API.
C:\$MFT 11/06/2002 22:38 137.40 MB Hidden from Windows API.
C:\$MFTMirr 11/06/2002 22:38 4.00 KB Hidden from Windows API.
C:\$Secure 11/06/2002 22:38 0 bytes Hidden from Windows API.
C:\$UpCase 11/06/2002 22:38 128.00 KB Hidden from Windows API.
C:\$Volume 11/06/2002 22:38 0 bytes Hidden from Windows API.


I don't know if this will help but McAfee is now finding a FuRootkit in msdirectx.sys in my "documents and settings" folder everytime I start up. It deletes it but it then comes back whenever I reboot.

Thanks for persisting with helping me out on this guys...

[Mobo]

Copy this post into notepad.

Disconnect from the internet by physically disconnecting the cable.

Start in safe mode

Open regedit (start/runregedir) and locate this reg key. Right click and delete
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\msdirectx

also look for any entries there dealing with SSL32Dr or Mqsq132 and delete those if present as well.

Check these regedit locations as well for those files and remove any if present:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Curr entVersion>Run

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Curr entVersion>RunServices

HKEY_LOCAL_MACHINE>System>CurrentControlSet>Contro l>Lsa

HKEY_CURRENT_USER>Software>Microsoft>Ole

HKEY_LOCAL_MACHINE>System>CurrentControlSet>Enum>R oot

HKEY_LOCAL_MACHINE>System>CurrentControlSet>Servic es

Close regedit

Disable system restore http://www.spyware911.net/forum/index.php?...e&pg=sysrestore

Rescan with hijack and if any of those processes are still present have it fix em

Then run mcAfee full scan


connect to the internet again

reboot normally now to see if the symptoms are still present

Then post a fresh hijack log here please

[robinsonpr]

Woohoo looks like we're getting somewhere! I followed your last set of instructions and deleted the registry entries (there were 10) and fixed the problem entries with hijack. A full scan with mcafee found nothing. A normal reboot started up OK and the mqsq132 process is no longer running!!!

My PC does see, to be running extremely slowly but that could be my imagination from my trojan induced paranoia!

How does my latest log look...

Logfile of HijackThis v1.99.0
Scan saved at 17:44:28, on 06/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\winvnc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Company\Quick Start Button\QSB.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paul Robinson\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [QSB] C:\Program Files\Company\Quick Start Button\QSB.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/Tra...ransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server - Olivetti & Oracle Research Lab - C:\WINDOWS\system32\winvnc.exe


Thanks!!!
Rob

[Mobo]

Thats clean Rob. Now I want you to install a firewall because those are known trojans to open back door access to remote users, hence the instructions to disconnect from the net.

There are several free verions here which are more than adequate
http://www.spyware911.net/forum/index.php?showtopic=927

[robinsonpr]

Great! :clap:

I must have read your mind as I went out and got the McAfee firewall today and have already installed it.

One thing I have noticed since doing all this - none of my windows media audio files (WMA) play anymore. Windows Media player (version 10) says the files are corrupt, which I know not to be true as I was playing them fine a couple of weeks ago.

When I hover over the WMAs in explorer it just says "No info" rather than displaying the file type etc. And if I right-click on a WMA file and choose "Properties" it crashes the explorer!

Any ideas if this could be a side effect of the viruses? Thanks Mobo.