Jump to content


Photo

CWS variant is disabling DLLFIX second.bat!


  • Please log in to reply
15 replies to this topic

#1 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 May 2004 - 01:49 PM

After carefully examining this excellent FAQ and spybotting/adawaring/hijackthising to no end. I recently learned of Shadowwar's wonderful DLLFIX. Ran it and it identified some juicy DLLs to remove-- So I go to OPTION 2 and specify the bad DLL, and all the while I've got spybot watching the startup keys.

Spybot notifies me that DLLFIX is setting itself to run SECOND.BAT upon startup, and I allow that change-- and right afterwards I start seeing a slew of changes coming through trying to UNDO that change! Of course I deny them until DLLFIX restarts the computer but despite my repeated actions of "remember this action, DENY", it reboots and second.bat never gets to run, never cleaning the monster. I'm thinking that somewhere after spybot's monitoring program shuts down the changes are undone. For now I turn to the experts, what do you recommend?

Attached is fresh hijackthislog. Let me know if you would like a look at the DLLFIX log, Startuplog or anything else relevant.

Much appreciation and thanks. Hijackthislog follows:

Logfile of HijackThis v1.97.7
Scan saved at 1:29:58 PM, on 5/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\Program Files\NavNT\vptray.exe
M:\Program Files\NetZero\exec.exe
C:\WINDOWS\workaround.exe
C:\worldox\wdnt.exe
C:\worldox\wd96.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Progra~1\Trillian\trillian.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\Documents and Settings\jan\Desktop\HijackThis.exe
C:\Documents and Settings\jan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (3ab9b9a20d4d8b6a1632910ab6c56fd9, 102400 bytes)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe (0e6506a1105fdc63a8ecf487df1e5a6d, 75384 bytes)
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE (c316571e0fed37eafe093174523e65b2, 28672 bytes)
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe (c95a9ee9ee2aa5c64516b853baddf18a, 888832 bytes)
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe (c74916c539884a4367e0652583966571, 73728 bytes)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [uoltray] M:\Program Files\NetZero\exec.exe regrun
O4 - Startup: Trillian.lnk = ? (file missing)
O8 - Extra context menu item: Add To &Directory - http://intranet/module2/rclick.asp (file missing)
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll (ac636cd4e8dce940abe59bdf9dbacdf8, 90112 bytes)
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Accelio Capture Form Control) - http://www.jud.state...ase/FormCtl.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Accelio Capture Barcode Control) - http://www.jud.state...e/jfbarcode.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38084.462025463

#2 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 21 May 2004 - 01:53 PM

Its ok.. That can happen if there is Look2me on the computer or a couple others that clears the key i set. Just go into the folder and double click the second.bat manually.
Please post the logs.txt when it opens.

Then i would recommend a good scan with an updated adware.



#3 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 May 2004 - 02:00 PM

Shadowwar! Thank you for your reply and your EXCELLENT DLLFIX program! :) It's saved my butt a number of times but I haven't seen spyware try to disable second.bat before!

Ok here's what we got man: (running updated spybot now)

Contents of logs.txt:

CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Fri 05/21/2004
01:59 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully

Deleting temp value

The operation completed successfully

Windows XP Detected
Running from C:\dllfix
Processing File Manually
C:\WINDOWS\system32\6CO4SVC.DLL
Md5 Check of C:\WINDOWS\system32\6CO4SVC.DLL

Md5 tested As
File was found but md5 didnt match
MD5 was:
Resetting file attributes
Processing ACL of: <\\?\C:\WINDOWS\system32\6CO4SVC.DLL>

SetACL finished successfully.
File was zipped for submission to Shadowwar
File is located at C:\dllfix\submit.zip
please Email a copy to spywaresubmit at aol.com
Please include a link to your post.
File is still in original location now unlocked.
It is now ok to proceed with Rest of Cleanup.


THANKS!!!

#4 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 21 May 2004 - 02:06 PM

Hmm that file is not the usual about blank type file the dllfix targets..

Also when did you download this? Seems the md5 portion did not run.



#5 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 May 2004 - 02:16 PM

Ohnos sounds scary!

I got it from http://tools.zerosrealm.com/dllfix.exe

I'll try the one on http://downloads.sub....org/dllfix.exe and report back.

#6 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 21 May 2004 - 02:24 PM

They are both the same. I would need the original entries from hijackthis.
Need to know how long ago you downloaded. I updated about 15 hours ago to try to fix the md5 problem.



#7 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 21 May 2004 - 02:30 PM

Ok sorry-- I should have answered your question as to when I downloaded it the FIRST time.

I downloaded it this morning at around 9:15AM eastern time from zerosrealm. Incidentally I just now redownloaded it from subratam.org and had the same results-- I took a screenshot of the command prompt in case that helps, here's the link:

http://s87350084.onl....us/results.png
(I took that shot right before the final "1 file(s) copied." showed up)

Hmmmmmmmm.

Again let me express my appreciation of your assistance! You rock!

Edited by celerityfm, 21 May 2004 - 02:31 PM.


#8 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 22 May 2004 - 08:27 AM

that file smells possibly of look2me. can you post a hijackthis log please? also can you check properties of the file?



#9 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 22 May 2004 - 09:02 AM

Thanks for the reply!

Here's the properties of the file, fresh hijack this log to follow:

6cO4SVC.DLL Properties
Type of the file: Application Extension
Opens with: Unknown application

Location: C:\WINDOWSSYSTEM32
Size: 309 KB (316,776 bytes)
Size on disk: 312 KB (319,488 bytes)

Created: Thursday, May 06, 2004, 9:10:32 AM
Modified: Thursday, May 06, 2004, 9:10:32 AM
Accessed: Today, May 22, 2004, 9:51:34 AM
Attributes: (checked) Read Only (checked) Hidden

Unfortunately there are no "version" or "summary" tabs on this file to speak of.. thats all I got :(

Here's the hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 9:58:38 AM, on 5/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
C:\WINDOWS\workaround.exe
C:\Documents and Settings\jan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Hotkeycontrol] C:\Program Files\Hotkeycontrol XP\hkcontrol.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [uoltray] M:\Program Files\NetZero\exec.exe regrun
O4 - Startup: Trillian.lnk = ?
O4 - Global Startup: GroupWise Notify.lnk = C:\Novell\GroupWise\Notify.exe
O4 - Global Startup: workaround.lnk = C:\windows\workaround.exe
O8 - Extra context menu item: Add To &Directory - http://intranet/module2/rclick.asp
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Accelio Capture Form Control) - http://www.jud.state...ase/FormCtl.cab
O16 - DPF: {2D3502EE-9D6D-11D1-86CC-080009B6ACE6} (Accelio Capture Barcode Control) - http://www.jud.state...e/jfbarcode.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38084.462025463

By the by, I get no errors using HIJACKTHIS when I scan.. but if I turn on MD5 checksumming I get an error (around the time where it sees O4 - HKCU\..\Run: [uoltray] M:\Program Files\NetZero\exec.exe regrun
O4 - Startup: Trillian.lnk = ?). This could be benign but I wanted to share it anyways:

An unexpected error has occurred at procedure: modMain_CheckOther4Item()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2600.0000
HijackThis version: 1.97.7

This message has been copied to your clipboard.

Again, I only get that error when I turn on MD5 checksumming.

THANKS!

#10 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 23 May 2004 - 08:59 AM

download and run this:

http://www.downloads...g/VX2Finder.exe

see what it finds.



#11 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 24 May 2004 - 08:10 AM

Shadowwar- thanks for sticking with me so long and thanks for the reply!

I fired up the VX2 Finder and it found 3 files-- here's the log.

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6cO4SVC.DLL
C:\WINDOWS\System32\AgLEDIT.DLL
C:\WINDOWS\System32\ayd.dll


Guardian Key--- is called: GuardianDMABG
Asynchronous 000
DllName C:\WINDOWS\system32\6cO4SVC.DLL
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {FB0CCC39-A557-4FA9-AE5E-8C2493E4CCB3}
IDex DS3

User Agent String---
{FB0CCC39-A557-4FA9-AE5E-8C2493E4CCB3}

I went ahead and tried to use the "delete these files, remove user agent, etc" options and it said it would remove some files on reboot-- rebooted and realized I should have waited to see what you had to say before doing anything, sorry.

Went ahead and reran the scan and it still detected 6cO4SVC.DLL but the other 2 files were gone ... is the 6cO4SVC.DLL file something we need to remove in recovery console mode?

Thanks and sorry for getting ahead :(

#12 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 24 May 2004 - 09:59 AM

Yes you can remove recovery console. Welcome to the wonderful world of Look2me. Vx2finder should remove it though.. although i havent tested with it lately.. But its definately the cause of the second.bat not running.
the file needs to go.. Then re run the cleanup with vx2finder.



#13 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 25 May 2004 - 05:10 PM

Shadowwar, thanks again for the reply, I'm confident now we'll be able to finally lay this thing to rest!

Unfortunately when I log into recover console it won't take the administrator password, even when I reset it several times in XP Management.. gonna have to use the Windows 2000 Recovery Console backdoor I guess OR install a parallel XP installation OR throw the HD (FAT32 thank goodness) into another box and delete the file manually. Or KNOPPIX or.. list goes on and on, right?

Hey I've got a Bart PE sitting right here, that'll do it! I'll report back later with the details, thanks very very much!

#14 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 07:07 AM

Ok please do. Bart pe is very nice.. Need to build me one.. never got around to it. keep me posted.



#15 celerityfm

celerityfm

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 26 May 2004 - 10:26 AM

Shadowwar! That was it! I booted up BartPE, killed that file, reran VX2 to cleanup and now both VX2 and your dllfinder utility report nothing found! Spybot/Adaware are clean and hijackthis looks sharp as well!

I've installed spywareblaster, spywaregaurd, ran the latest autopatcher XP and all the windows updates, adjusted internet explorer security zones, setup spybots resident antispyware monitors and immunized fully. Firefox is loaded and I'm ready to be spyware free now and in the future :). Thanks again Shadowwar and to all the lurkers who checked in on this thread as well! Hope this thread helps others too.

Cheers

#16 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 26 May 2004 - 11:25 AM

Glad to help. Your very knowledgable so this was easy! :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button