Hijack This Log -- Help please

Jameseee · 07-17-2005, 02:06 AM

Spybot reports BookedSpace (7 instances) and Pacimedia. After restart, they are back.

Ad-Aware found a lot of Vx2 and ImlServer IEPlugins. VX2Finder no longer finds any Vx2.

There is an entry in the log (20 ... sbmsg.dll) that comes back instantly. I currently have only a desktop picture -- no Start Menu; no icons. Task Manager will open and I can run some programs that way (iexplore, etc.), but explorer.exe won't run. It says it cannot find it. It says that even if I browse for it and locate it myself. File size and date are identical to other computers, so ...

Anyway, log follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:19 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\sbmsg.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Is there any hope?

Thanks for your help.

James

Byteman · 07-17-2005, 07:42 AM

Looks like this is your bad boy:
O20 - Winlogon Notify: URL - C:\WINNT\system32\sbmsg.dll

Make sure your machine is set to view all folders/files... (see step 2 in sticky)
Download the VX2 plugin for Ad-AwareSE and install it.

Have HJT remove the O20 entry mentioned above then, click the "Misc Tool section" button and then "Delete File on Reboot" button. Browse to the file
C:\WINNT\system32\sbmsg.dll
Then reboot to Safe Mode, (Pressing the F8 key repeatedly when first booting up), navigate to the file and verify it's gone, (if still there, then shift+delete it).

Then run a full system scan, (not the smartscan) with Ad-AwareSE again, and post back & let us know your status.

Jameseee · 07-17-2005, 01:40 PM

Byteman,

Thanks for the help.

First, I don't know how to change my view to view all files/folders because I cannot open explorer.exe. I have no desktop icons or Start Menu; just a picture on the desktop.

From the Task Manager; Run option, I can see that the file is still there. From a Command Prompt, I can see that it is a System File and Read-Only. I can remove the attributes, but cannot delete the file because the Process is running and Killbox cannot stop it. Even in Safe Mode, the Process is running. Also, I have no desktop icons or Start Menu in Safe Mode either regardless of whether I log on as myself or as Administrator.

The VX2 plugin reports "System Clean" but the Ad-Aware scan reports 30 VX2 objects.

I did manage to get Roxio to run so that I now have a backup disk of the data, so I'm in much less of a panic than I was yesterday.

Any other ideas?

Thanks again.

James

**Buzz1927** · 07-18-2005, 09:24 AM

Hi james.
Byteman asked me to take a look at your log. I think you may have a new variant of this infection. Download L2Mfix and install it. Open the program and double-click "l2mfix.bat". Select option 1, this will scan the computer and make a logfile. Post the bottom part of the log (it should be a list of files) in your next reply. Save the log, we might need it later.

Jameseee · 07-18-2005, 12:37 PM

Thanks Buzz,

Here is the information from ltmfix.

************************************************** ********************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 5452-387C

Directory of C:\WINNT\System32

07/18/2005 07:15 AM 417,792 crosys.dll
07/17/2005 07:41 AM 417,792 wtploc.dll
07/17/2005 07:24 AM 417,792 kudic.dll
07/16/2005 06:51 PM 417,792 mrxml2r.dll
07/16/2005 06:44 PM 417,792 mir2c.dll
07/16/2005 06:29 PM 82,432 dees.exe
07/16/2005 06:29 PM 417,792 GXCollection.dll
07/16/2005 06:24 PM 417,792 mkcndmgr.dll
07/16/2005 06:19 PM 417,792 nbmarta.dll
07/16/2005 05:30 PM <DIR> dllcache
07/16/2005 01:43 PM 417,792 iaq.dll
07/16/2005 11:53 AM 417,792 mfl_mtf.dll
07/16/2005 11:05 AM 417,792 sbmsg.dll
07/16/2005 09:09 AM 417,792 smcpack.dll
07/16/2005 09:07 AM 417,792 IO41_QC.dll
06/26/2005 03:06 PM 417,792 ibitpki.dll
06/23/2005 11:09 AM 417,792 guard.tmp
06/21/2005 08:49 PM 417,792 kadhu.dll
09/04/2002 11:30 AM <DIR> Microsoft
17 File(s) 6,767,104 bytes
2 Dir(s) 20,066,299,904 bytes free

While this was scanning, I received the following message twice:

C:\WINNT\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose 'Close' to terminate the application.

Options were Close and Ignore. After "Ignore" twice, it completed.

Later.

James

**Buzz1927** · 07-18-2005, 12:56 PM

Hi James.
Run l2mfix again. When you run l2mfix.bat, select option 2 to run the fix. Hit any key to reboot, when it reboots wait for a notepad log to appear. Let me know how you get on.

Jameseee · 07-18-2005, 01:32 PM

OK. Ran l2mfix.bat Option 2 and rebooted.

No notepad appeared as nothing appears on the desktop.

I believe the following may be the log you are looking for:

L2Mfix 1.03a

Running From:
C:\l2mfix\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

Thanks.

Later.

James

**Buzz1927** · 07-18-2005, 01:35 PM

Ok, open the l2mfix folder. Find the file called "second.bat" and run that.

Jameseee · 07-18-2005, 02:25 PM

OK. Here is the resulting log file.

Running From:
C:\l2mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINNT\system32\crosys.dll
1 file(s) copied.
...

[Part of log removed due to space limits]

...

deleting: C:\WINNT\system32\guard.tmp
Successfully Deleted: C:\WINNT\system32\guard.tmp

Zipping up files for submission:
adding: crosys.dll (188 bytes security) (deflated 48%)
adding: GXCollection.dll (188 bytes security) (deflated 48%)
adding: iaq.dll (188 bytes security) (deflated 48%)
adding: ibitpki.dll (188 bytes security) (deflated 48%)
adding: IO41_QC.dll (188 bytes security) (deflated 48%)
adding: kadhu.dll (188 bytes security) (deflated 48%)
adding: kudic.dll (188 bytes security) (deflated 48%)
adding: mfl_mtf.dll (188 bytes security) (deflated 48%)
adding: mir2c.dll (188 bytes security) (deflated 48%)
adding: mkcndmgr.dll (188 bytes security) (deflated 48%)
adding: mrxml2r.dll (188 bytes security) (deflated 48%)
adding: nbmarta.dll (188 bytes security) (deflated 48%)
adding: sbmsg.dll (188 bytes security) (deflated 48%)
adding: smcpack.dll (188 bytes security) (deflated 48%)
adding: wtploc.dll (188 bytes security) (deflated 48%)
adding: guard.tmp (188 bytes security) (deflated 48%)
adding: clear.reg (188 bytes security) (deflated 37%)
adding: echo.reg (188 bytes security) (deflated 12%)
adding: direct.txt (188 bytes security) (deflated 22%)
adding: lo2.txt (188 bytes security) (deflated 87%)
adding: readme.txt (188 bytes security) (deflated 49%)
adding: report.txt (188 bytes security) (deflated 61%)
adding: test.txt (188 bytes security) (deflated 88%)
adding: test2.txt (188 bytes security) (deflated 17%)
adding: test3.txt (188 bytes security) (deflated 17%)
adding: test5.txt (188 bytes security) (deflated 17%)
adding: xfind.txt (188 bytes security) (deflated 84%)
adding: backregs/46C71DDC-8117-4D25-BD30-A2DB126E6569.reg (188 bytes security) (deflated 70%)
adding: backregs/7ED75993-9504-4EB8-8571-897750CA5AAB.reg (188 bytes security) (deflated 70%)
adding: backregs/shell.reg (188 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: crosys.dll
deleting local copy: crosys.dll
deleting local copy: GXCollection.dll
deleting local copy: GXCollection.dll
deleting local copy: iaq.dll
deleting local copy: iaq.dll
deleting local copy: ibitpki.dll
deleting local copy: ibitpki.dll
deleting local copy: IO41_QC.dll
deleting local copy: IO41_QC.dll
deleting local copy: kadhu.dll
deleting local copy: kadhu.dll
deleting local copy: kudic.dll
deleting local copy: kudic.dll
deleting local copy: mfl_mtf.dll
deleting local copy: mfl_mtf.dll
deleting local copy: mir2c.dll
deleting local copy: mir2c.dll
deleting local copy: mkcndmgr.dll
deleting local copy: mkcndmgr.dll
deleting local copy: mrxml2r.dll
deleting local copy: mrxml2r.dll
deleting local copy: nbmarta.dll
deleting local copy: nbmarta.dll
deleting local copy: sbmsg.dll
deleting local copy: sbmsg.dll
deleting local copy: smcpack.dll
deleting local copy: smcpack.dll
deleting local copy: wtploc.dll
deleting local copy: wtploc.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
************************************************** **************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

The following are the files found:
************************************************** **************************
C:\WINNT\system32\crosys.dll
C:\WINNT\system32\crosys.dll
C:\WINNT\system32\GXCollection.dll
C:\WINNT\system32\GXCollection.dll
C:\WINNT\system32\iaq.dll
C:\WINNT\system32\iaq.dll
C:\WINNT\system32\ibitpki.dll
C:\WINNT\system32\ibitpki.dll
C:\WINNT\system32\IO41_QC.dll
C:\WINNT\system32\IO41_QC.dll
C:\WINNT\system32\kadhu.dll
C:\WINNT\system32\kadhu.dll
C:\WINNT\system32\kudic.dll
C:\WINNT\system32\kudic.dll
C:\WINNT\system32\mfl_mtf.dll
C:\WINNT\system32\mfl_mtf.dll
C:\WINNT\system32\mir2c.dll
C:\WINNT\system32\mir2c.dll
C:\WINNT\system32\mkcndmgr.dll
C:\WINNT\system32\mkcndmgr.dll
C:\WINNT\system32\mrxml2r.dll
C:\WINNT\system32\mrxml2r.dll
C:\WINNT\system32\nbmarta.dll
C:\WINNT\system32\nbmarta.dll
C:\WINNT\system32\sbmsg.dll
C:\WINNT\system32\sbmsg.dll
C:\WINNT\system32\smcpack.dll
C:\WINNT\system32\smcpack.dll
C:\WINNT\system32\wtploc.dll
C:\WINNT\system32\wtploc.dll
C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
************************************************** **************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved]
"{46C71DDC-8117-4D25-BD30-A2DB126E6569}"=-
"{7ED75993-9504-4EB8-8571-897750CA5AAB}"=-
[-HKEY_CLASSES_ROOT\CLSID\{46C71DDC-8117-4D25-BD30-A2DB126E6569}]
[-HKEY_CLASSES_ROOT\CLSID\{7ED75993-9504-4EB8-8571-897750CA5AAB}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
************************************************** **************************
Desktop.ini Contents:
************************************************** **************************
************************************************** **************************

I have not rebooted yet because I wanted to make sure there wasn't something else you wanted me to do first.

Thanks.

James

**Buzz1927** · 07-18-2005, 03:34 PM

That looks like it got it, go ahead and reboot and post back if everything's ok.

07-17-2005, 02:06 AM	#1 (permalink)
Jameseee New Member Join Date: Jul 2005 Posts: 11	Hijack This Log -- Help please Spybot reports BookedSpace (7 instances) and Pacimedia. After restart, they are back. Ad-Aware found a lot of Vx2 and ImlServer IEPlugins. VX2Finder no longer finds any Vx2. There is an entry in the log (20 ... sbmsg.dll) that comes back instantly. I currently have only a desktop picture -- no Start Menu; no icons. Task Manager will open and I can run some programs that way (iexplore, etc.), but explorer.exe won't run. It says it cannot find it. It says that even if I browse for it and locate it myself. File size and date are identical to other computers, so ... Anyway, log follows: Logfile of HijackThis v1.99.1 Scan saved at 9:05:19 PM, on 7/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS C:\WINNT\System32\ScsiAccess.EXE C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINNT\wanmpsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O20 - Winlogon Notify: URL - C:\WINNT\system32\sbmsg.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe Is there any hope? Thanks for your help. James

07-17-2005, 07:42 AM	#2 (permalink)
Byteman Malware Destroyer Join Date: Apr 2005 Location: Hurricane Heaven... still Posts: 1,093	Looks like this is your bad boy: O20 - Winlogon Notify: URL - C:\WINNT\system32\sbmsg.dll Make sure your machine is set to view all folders/files... (see step 2 in sticky) Download the VX2 plugin for Ad-AwareSE and install it. Have HJT remove the O20 entry mentioned above then, click the "Misc Tool section" button and then "Delete File on Reboot" button. Browse to the file C:\WINNT\system32\sbmsg.dll Then reboot to Safe Mode, (Pressing the F8 key repeatedly when first booting up), navigate to the file and verify it's gone, (if still there, then shift+delete it). Then run a full system scan, (not the smartscan) with Ad-AwareSE again, and post back & let us know your status. __________________ Don't byte off more than you can chew... Last edited by Byteman; 07-17-2005 at 07:45 AM.

07-18-2005, 09:24 AM	#4 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,345	Hi james. Byteman asked me to take a look at your log. I think you may have a new variant of this infection. Download L2Mfix and install it. Open the program and double-click "l2mfix.bat". Select option 1, this will scan the computer and make a logfile. Post the bottom part of the log (it should be a list of files) in your next reply. Save the log, we might need it later. Last edited by Buzz1927; 07-18-2005 at 11:49 AM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07-17-2005, 01:40 PM	#3 (permalink)
Jameseee New Member Join Date: Jul 2005 Posts: 11	Byteman, Thanks for the help. First, I don't know how to change my view to view all files/folders because I cannot open explorer.exe. I have no desktop icons or Start Menu; just a picture on the desktop. From the Task Manager; Run option, I can see that the file is still there. From a Command Prompt, I can see that it is a System File and Read-Only. I can remove the attributes, but cannot delete the file because the Process is running and Killbox cannot stop it. Even in Safe Mode, the Process is running. Also, I have no desktop icons or Start Menu in Safe Mode either regardless of whether I log on as myself or as Administrator. The VX2 plugin reports "System Clean" but the Ad-Aware scan reports 30 VX2 objects. I did manage to get Roxio to run so that I now have a backup disk of the data, so I'm in much less of a panic than I was yesterday. Any other ideas? Thanks again. James

07-18-2005, 12:56 PM	#6 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,345	Hi James. Run l2mfix again. When you run l2mfix.bat, select option 2 to run the fix. Hit any key to reboot, when it reboots wait for a notepad log to appear. Let me know how you get on.

07-18-2005, 01:32 PM	#7 (permalink)
Jameseee New Member Join Date: Jul 2005 Posts: 11	OK. Ran l2mfix.bat Option 2 and rebooted. No notepad appeared as nothing appears on the desktop. I believe the following may be the log you are looking for: L2Mfix 1.03a Running From: C:\l2mfix\l2mfix RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting registry permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Denying C(CI) access for predefined group "Administrators" - adding new ACCESS DENY entry Registry Permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (CI) DENY --C------- BUILTIN\Administrators (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Setting up for Reboot Starting Reboot! Thanks. Later. James

07-18-2005, 01:35 PM	#8 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,345	Ok, open the l2mfix folder. Find the file called "second.bat" and run that.

07-18-2005, 02:25 PM	#9 (permalink)
Jameseee New Member Join Date: Jul 2005 Posts: 11	OK. Here is the resulting log file. Running From: C:\l2mfix\l2mfix killing explorer and rundll32.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of explorer.exe Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org Error, Cannot find a process with an image name of rundll32.exe Scanning First Pass. Please Wait! First Pass Completed Second Pass Scanning Second pass Completed! Backing Up: C:\WINNT\system32\crosys.dll 1 file(s) copied. ... [Part of log removed due to space limits] ... deleting: C:\WINNT\system32\guard.tmp Successfully Deleted: C:\WINNT\system32\guard.tmp Zipping up files for submission: adding: crosys.dll (188 bytes security) (deflated 48%) adding: GXCollection.dll (188 bytes security) (deflated 48%) adding: iaq.dll (188 bytes security) (deflated 48%) adding: ibitpki.dll (188 bytes security) (deflated 48%) adding: IO41_QC.dll (188 bytes security) (deflated 48%) adding: kadhu.dll (188 bytes security) (deflated 48%) adding: kudic.dll (188 bytes security) (deflated 48%) adding: mfl_mtf.dll (188 bytes security) (deflated 48%) adding: mir2c.dll (188 bytes security) (deflated 48%) adding: mkcndmgr.dll (188 bytes security) (deflated 48%) adding: mrxml2r.dll (188 bytes security) (deflated 48%) adding: nbmarta.dll (188 bytes security) (deflated 48%) adding: sbmsg.dll (188 bytes security) (deflated 48%) adding: smcpack.dll (188 bytes security) (deflated 48%) adding: wtploc.dll (188 bytes security) (deflated 48%) adding: guard.tmp (188 bytes security) (deflated 48%) adding: clear.reg (188 bytes security) (deflated 37%) adding: echo.reg (188 bytes security) (deflated 12%) adding: direct.txt (188 bytes security) (deflated 22%) adding: lo2.txt (188 bytes security) (deflated 87%) adding: readme.txt (188 bytes security) (deflated 49%) adding: report.txt (188 bytes security) (deflated 61%) adding: test.txt (188 bytes security) (deflated 88%) adding: test2.txt (188 bytes security) (deflated 17%) adding: test3.txt (188 bytes security) (deflated 17%) adding: test5.txt (188 bytes security) (deflated 17%) adding: xfind.txt (188 bytes security) (deflated 84%) adding: backregs/46C71DDC-8117-4D25-BD30-A2DB126E6569.reg (188 bytes security) (deflated 70%) adding: backregs/7ED75993-9504-4EB8-8571-897750CA5AAB.reg (188 bytes security) (deflated 70%) adding: backregs/shell.reg (188 bytes security) (deflated 73%) Restoring Registry Permissions: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Revoking access for predefined group "Administrators" Inherited ACE can not be revoked here! Inherited ACE can not be revoked here! Registry permissions set too: RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (NI) ALLOW Full access NT AUTHORITY\SYSTEM (IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER Restoring Sedebugprivilege: Granting SeDebugPrivilege to Administrators ... successful deleting local copy: crosys.dll deleting local copy: crosys.dll deleting local copy: GXCollection.dll deleting local copy: GXCollection.dll deleting local copy: iaq.dll deleting local copy: iaq.dll deleting local copy: ibitpki.dll deleting local copy: ibitpki.dll deleting local copy: IO41_QC.dll deleting local copy: IO41_QC.dll deleting local copy: kadhu.dll deleting local copy: kadhu.dll deleting local copy: kudic.dll deleting local copy: kudic.dll deleting local copy: mfl_mtf.dll deleting local copy: mfl_mtf.dll deleting local copy: mir2c.dll deleting local copy: mir2c.dll deleting local copy: mkcndmgr.dll deleting local copy: mkcndmgr.dll deleting local copy: mrxml2r.dll deleting local copy: mrxml2r.dll deleting local copy: nbmarta.dll deleting local copy: nbmarta.dll deleting local copy: sbmsg.dll deleting local copy: sbmsg.dll deleting local copy: smcpack.dll deleting local copy: smcpack.dll deleting local copy: wtploc.dll deleting local copy: wtploc.dll deleting local copy: guard.tmp deleting local copy: guard.tmp The following Is the Current Export of the Winlogon notify key: ************************************************ ********************** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] The following are the files found: ********************************************** ********************** C:\WINNT\system32\crosys.dll C:\WINNT\system32\crosys.dll C:\WINNT\system32\GXCollection.dll C:\WINNT\system32\GXCollection.dll C:\WINNT\system32\iaq.dll C:\WINNT\system32\iaq.dll C:\WINNT\system32\ibitpki.dll C:\WINNT\system32\ibitpki.dll C:\WINNT\system32\IO41_QC.dll C:\WINNT\system32\IO41_QC.dll C:\WINNT\system32\kadhu.dll C:\WINNT\system32\kadhu.dll C:\WINNT\system32\kudic.dll C:\WINNT\system32\kudic.dll C:\WINNT\system32\mfl_mtf.dll C:\WINNT\system32\mfl_mtf.dll C:\WINNT\system32\mir2c.dll C:\WINNT\system32\mir2c.dll C:\WINNT\system32\mkcndmgr.dll C:\WINNT\system32\mkcndmgr.dll C:\WINNT\system32\mrxml2r.dll C:\WINNT\system32\mrxml2r.dll C:\WINNT\system32\nbmarta.dll C:\WINNT\system32\nbmarta.dll C:\WINNT\system32\sbmsg.dll C:\WINNT\system32\sbmsg.dll C:\WINNT\system32\smcpack.dll C:\WINNT\system32\smcpack.dll C:\WINNT\system32\wtploc.dll C:\WINNT\system32\wtploc.dll C:\WINNT\system32\guard.tmp C:\WINNT\system32\guard.tmp Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ********************************************** ********************** REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Shell Extensions\Approved] "{46C71DDC-8117-4D25-BD30-A2DB126E6569}"=- "{7ED75993-9504-4EB8-8571-897750CA5AAB}"=- [-HKEY_CLASSES_ROOT\CLSID\{46C71DDC-8117-4D25-BD30-A2DB126E6569}] [-HKEY_CLASSES_ROOT\CLSID\{7ED75993-9504-4EB8-8571-897750CA5AAB}] REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************** ********************** Desktop.ini Contents: ********************************************** ********************** ********************************************** ************************ I have not rebooted yet because I wanted to make sure there wasn't something else you wanted me to do first. Thanks. James

07-18-2005, 03:34 PM	#10 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,345	That looks like it got it, go ahead and reboot and post back if everything's ok.