Help - Search - Members - Calendar
Full Version: Insidious Spyware
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
pickledpig
Dec 8 2004, 05:13 AM
I have exactly the same issue described here

http://forum.gladiator-antivirus.com/index...showtopic=21037

I ran the batch file prescribed and here are my results:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D06A-49EE

Directory of C:\WINDOWS\System32

12/07/2004 05:42 PM 223,206 clgmgr32.dll
12/07/2004 12:00 AM 225,938 en44l1hq1.dll
12/06/2004 11:03 PM <DIR> dllcache
12/06/2004 11:02 PM 225,938 utlmon.dll
12/06/2004 11:02 PM 223,206 ktrul7991.dll
12/06/2004 10:03 PM 223,038 ugrfaxa.dll
12/06/2004 09:57 PM 224,883 cvwdm32.dll
12/06/2004 09:45 PM 223,038 mtrt.dll
10/13/2003 06:43 PM 32 {0BC7ED0A-8458-4DD0-9764-43D79009753B}.dat
10/13/2003 06:42 PM 32 {BE33F3DE-4E8A-46F5-844C-88C3C9D121AE}.dat
10/13/2003 06:41 PM 32 {9E29860D-E65B-49BE-9329-AD47E02F6069}.dat
10/13/2003 06:40 PM 32 {E74EE882-5631-486E-BDF2-B9F0E1947E09}.dat
10/13/2003 06:40 PM 32 {0143A5EC-4A7C-4300-AAED-7C41FE19551F}.dat
10/13/2003 06:40 PM 32 {9E41F10E-241B-4866-9764-F6E3F8E08CF3}.dat
10/13/2003 06:38 PM 32 {C58913E9-4077-4E07-85C4-8DC0B9D6E93B}.dat
07/14/2002 09:19 PM <DIR> Microsoft
03/21/2001 02:34 PM 244,232 Msflxgrd.ocx
15 File(s) 1,813,703 bytes
2 Dir(s) 7,545,405,440 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D06A-49EE

Directory of C:\WINDOWS\System32

12/07/2004 05:43 PM 890 vsconfig.xml
12/06/2004 11:03 PM <DIR> dllcache
12/06/2004 09:43 PM 4,212 zllictbl.dat
10/13/2003 06:43 PM 32 {0BC7ED0A-8458-4DD0-9764-43D79009753B}.dat
10/13/2003 06:42 PM 32 {BE33F3DE-4E8A-46F5-844C-88C3C9D121AE}.dat
10/13/2003 06:41 PM 32 {9E29860D-E65B-49BE-9329-AD47E02F6069}.dat
10/13/2003 06:40 PM 32 {E74EE882-5631-486E-BDF2-B9F0E1947E09}.dat
10/13/2003 06:40 PM 32 {0143A5EC-4A7C-4300-AAED-7C41FE19551F}.dat
10/13/2003 06:40 PM 32 {9E41F10E-241B-4866-9764-F6E3F8E08CF3}.dat
10/13/2003 06:38 PM 32 {C58913E9-4077-4E07-85C4-8DC0B9D6E93B}.dat
07/05/2002 04:00 PM 488 logonui.exe.manifest
07/05/2002 04:00 PM 488 WindowsLogon.manifest
07/05/2002 04:00 PM 749 ncpa.cpl.manifest
07/05/2002 04:00 PM 749 nwc.cpl.manifest
07/05/2002 04:00 PM 749 wuaucpl.cpl.manifest
07/05/2002 04:00 PM 749 sapi.cpl.manifest
07/05/2002 04:00 PM 749 cdplayer.exe.manifest
16 File(s) 10,047 bytes
1 Dir(s) 7,545,397,248 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is D06A-49EE

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is D06A-49EE

Directory of C:\WINDOWS\System32


---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{146BE723-D2CD-463A-AADB-593D692B98F7}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SharedDLLs]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\ktrul7991.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------

C:\WINDOWS\System32\CLGMGR32.DLL +++ File read error

-------------- Locate.com Results ---------------


C:\WINDOWS\SYSTEM32\
clgmgr32.dll Tue Dec 7 2004 5:42:52p ..S.R 223,206 217.97 K
cvwdm32.dll Mon Dec 6 2004 9:57:32p ..S.R 224,883 219.61 K
en44l1~1.dll Tue Dec 7 2004 12:00:20a ..S.R 225,938 220.64 K
ktrul7~1.dll Mon Dec 6 2004 11:02:20p ..S.R 223,206 217.97 K
mtrt.dll Mon Dec 6 2004 9:45:34p ..S.R 223,038 217.81 K
ugrfaxa.dll Mon Dec 6 2004 10:03:14p ..S.R 223,038 217.81 K
utlmon.dll Mon Dec 6 2004 11:02:20p ..S.. 225,938 220.64 K
vsconfig.xml Tue Dec 7 2004 5:43:38p A..H. 890 0.87 K
zllictbl.dat Mon Dec 6 2004 9:43:34p ...H. 4,212 4.11 K

9 items found: 9 files, 0 directories.
Total of file sizes: 1,574,349 bytes 1.50 M


I have isolated the problem by locking a empty "hosts" file and tightening the settings in Spybot and ZoneAlalrm. However, the rundll32.exe still creates the guard.tmp file in the System32 folder. How can I rid myself of this sucker?
LoPhatPhuud
Dec 9 2004, 05:57 AM
First, always post a HJackThis log. I have no idea of what is wrong with your system, beyond what your posted. If you want our help, then please follow instructions as given. If you care to experiment, then I will close the thread and you can go elsewhere.


Please download and install the new version (198.2) from one of the following links:
http://www.computercops.biz/downloads-file-328.html
http://tomcoyote.org/hjt/

Run HiJackThis-198.2 and post the new log in this thread.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.