please help!!

Discussion in 'malware problems & news' started by dannysadler, Dec 14, 2005.

Thread Status:
Not open for further replies.
  1. dannysadler

    dannysadler Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    1
    i have this problem getting rid of a coolwebsearch variant. i have tried everything i can find including hijackthis and the coolwebsearch cleaner. it just keeps adding the registry values back. here is a log from findit.

    Warning! This utility will find legitimate files in addition to malware.
    Do not remove anything unless you are sure you know what you're doing.

    Find.bat is running from: C:\Documents and Settings\dann\Favorites\My Documents\Find It NT-2K-XP\Find It NT-2K-XP

    ------- System Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 90C2-2E93

    Directory of C:\WINDOWS\System32

    06/10/2005 06:27 PM <DIR> dllcache
    01/18/2005 12:29 PM <DIR> Microsoft
    08/04/2004 01:56 AM 11,776 regsvr32.exe
    08/04/2004 01:56 AM 83,456 olepro32.dll
    08/04/2004 01:56 AM 343,040 msvcrt.dll
    08/04/2004 01:56 AM 413,696 msvcp60.dll
    08/04/2004 01:56 AM 54,784 msvcirt.dll
    08/04/2004 01:56 AM 1,028,096 mfc42.dll
    6 File(s) 1,934,848 bytes
    2 Dir(s) 70,532,665,344 bytes free

    ------- Hidden Files in System32 Directory -------

    Volume in drive C has no label.
    Volume Serial Number is 90C2-2E93

    Directory of C:\WINDOWS\System32

    12/14/2005 08:15 AM 31,768 vsconfig.xml
    09/28/2005 06:47 AM 4,212 zllictbl.dat
    06/10/2005 06:27 PM <DIR> dllcache
    01/18/2005 12:02 PM 488 WindowsLogon.manifest
    01/18/2005 12:02 PM 488 logonui.exe.manifest
    01/18/2005 12:02 PM 749 wuaucpl.cpl.manifest
    01/18/2005 12:02 PM 749 sapi.cpl.manifest
    01/18/2005 12:02 PM 749 nwc.cpl.manifest
    01/18/2005 12:02 PM 749 cdplayer.exe.manifest
    01/18/2005 12:02 PM 749 ncpa.cpl.manifest
    08/04/2004 01:56 AM 11,776 regsvr32.exe
    08/04/2004 01:56 AM 83,456 olepro32.dll
    08/04/2004 01:56 AM 54,784 msvcirt.dll
    08/04/2004 01:56 AM 413,696 msvcp60.dll
    08/04/2004 01:56 AM 343,040 msvcrt.dll
    08/04/2004 01:56 AM 1,028,096 mfc42.dll
    15 File(s) 1,975,549 bytes
    1 Dir(s) 70,532,661,248 bytes free

    ------------ Files Named "Guard" ---------------

    Volume in drive C has no label.
    Volume Serial Number is 90C2-2E93

    Directory of C:\WINDOWS\System32


    ------ Temp Files in System32 Directory ------

    Volume in drive C has no label.
    Volume Serial Number is 90C2-2E93

    Directory of C:\WINDOWS\System32

    12/13/2005 08:38 PM 39,936 abjncaaa.tmp
    08/23/2001 06:00 AM 2,577 CONFIG.TMP
    2 File(s) 42,513 bytes
    0 Dir(s) 70,532,661,248 bytes free

    ------------------ User Agent ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
    "SV1"=""


    ------------- Keys Under Notify -------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
    "Logoff"="ChainWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
    "Logoff"="CryptnetWlxLogoffEvent"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    "Asynchronous"=dword:00000000
    "DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001


    ------------- Locate.com Results -------------

    C:\WINDOWS\SYSTEM32\
    vsconfig.xml Wed Dec 14 2005 8:15:32a A..H. 31,768 31.02 K
    zllictbl.dat Wed Sep 28 2005 6:47:48a ...H. 4,212 4.11 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 35,980 bytes 35.14 K

    -------- Strings.exe Qoologic Results --------


    --------- Strings.exe Aspack Results ---------

    C:\WINDOWS\system32\ntdll.dll: .aspack

    -------------- HKLM Run Key ----------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMan"="SOUNDMAN.EXE"
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
    "nwiz"="nwiz.exe /install"
    "Lexmark 4200 Series"="\"C:\\Program Files\\Lexmark 4200 Series\\lxbmbmgr.exe\""
    "FaxCenterServer4_in_1"="\"C:\\Program Files\\Lexmark 4200 Series\\Fax\\fm3032.exe\" /s"
    @=""
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_01\\bin\\jusched.exe"
    "PopUpInspector.exe"="\"C:\\Program Files\\GIANT Company Software inc\\PopUp Inspector\\PopUpInspector.exe\""
    "KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
    65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
    "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"


    please help!!!!
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    What program is reporting a CoolWebSearch variant and what registry values are you speaking of :doubt:

    Concerning hijackthis....did you analyze the log or did someone else on another Forum ?
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
Loading...
Thread Status:
Not open for further replies.